Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nitro_pro14.exe

Overview

General Information

Sample name:nitro_pro14.exe
Analysis ID:1533060
MD5:957c08652837223a7876d64f5f93f232
SHA1:22cb448ac6bd4fc47a1889aa2643f0bd91e9c7ff
SHA256:071dcd0fb10975eea48df1f75b3c6ecaec30c901fc7639ad8e60b99c231ee223
Infos:

Detection

Score:25
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Potentially malicious time measurement code found
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • nitro_pro14.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\nitro_pro14.exe" MD5: 957C08652837223A7876D64F5F93F232)
    • nitro_pro14.exe (PID: 7044 cmdline: "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680 MD5: 957C08652837223A7876D64F5F93F232)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000DBCDD DecryptFileW,0_2_000DBCDD
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000DBAC2 DecryptFileW,DecryptFileW,0_2_000DBAC2
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00104B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_00104B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A7BCDD DecryptFileW,1_2_00A7BCDD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A7BAC2 DecryptFileW,DecryptFileW,1_2_00A7BAC2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00AA4B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_00AA4B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4578D0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,1_2_6A4578D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A459330 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,1_2_6A459330
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A458500 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,1_2_6A458500
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A40F590 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,_invalid_parameter_noinfo_noreturn,1_2_6A40F590
Source: nitro_pro14.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: nitro_pro14.exeStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: nitro_pro14.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source: Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source: Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source: Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source: Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source: Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C3B2C FindFirstFileW,FindClose,0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A63B2C FindFirstFileW,FindClose,1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,1_2_6A4E1794
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 4x nop then movd mm0, dword ptr [edx]1_2_6A38CFF0
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: desktop.gonitro.com
Source: unknownHTTP traffic detected: POST /v14.29.1.0/events HTTP/1.1Content-type: application/jsonUser-Agent: Nitro 14.29.1.0Host: desktop.gonitro.comContent-Length: 334Connection: Keep-AliveCache-Control: no-cache
Source: nitro_pro14.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: nitro_pro14.exe, nitro_pro14.exe.0.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: nitro_pro14.exeString found in binary or memory: http://wixtoolset.org/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://wixtoolset.org/news/
Source: nitro_pro14.exe, Microsoft.Deployment.WindowsInstaller.dll.1.drString found in binary or memory: http://wixtoolset.org/releases/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.drString found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.1.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: nitro_pro14.exeString found in binary or memory: http://wixtoolset.org/telemetry/v
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drString found in binary or memory: http://www.galasoft.ch
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drString found in binary or memory: http://www.galasoft.ch/s/dialogmessage.
Source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drString found in binary or memory: http://www.galasoft.ch4
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drString found in binary or memory: http://www.galasoft.chN
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.drString found in binary or memory: http://www.gonitro.com///support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/en/support/privacy-po
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/en/support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/en/support/privacy-policy09
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/en/support/privacy-policyx
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp, NitroBA.dll.1.drString found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=en&lr_src=retail&lr_prod=Professional&lr_
Source: nitro_pro14.exeString found in binary or memory: http://www.google.com
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.drString found in binary or memory: http://www.google.com)WPD
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drString found in binary or memory: https://desktop.gonitro.com
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop.gonitro.com/M
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events=
Source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drString found in binary or memory: https://desktop.gonitro.comhttps://desktop.gonitrodev.commetrics.use_dev_servert
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drString found in binary or memory: https://desktop.gonitrodev.com
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2948280651.0000000003400000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2947992871.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2950438684.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.drString found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en/retail/nitro_pro14_ba_x64.msi
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microI
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drString found in binary or memory: https://wixtoolset.org/
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drString found in binary or memory: https://www.gonitro.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownHTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A40C340: MultiByteToWideChar,memset,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,DeviceIoControl,CloseHandle,std::_Xregex_error,fwrite,_errno,1_2_6A40C340
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F712E0_2_000F712E
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F21D90_2_000F21D9
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F24A00_2_000F24A0
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F74BC0_2_000F74BC
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FA7030_2_000FA703
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F275B0_2_000F275B
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FEAE00_2_000FEAE0
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F1BBD0_2_000F1BBD
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000E5CCD0_2_000E5CCD
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000EDD780_2_000EDD78
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F1F2F0_2_000F1F2F
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FEF680_2_000FEF68
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C7FA90_2_000C7FA9
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00103FCA0_2_00103FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A921D91_2_00A921D9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9712E1_2_00A9712E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A924A01_2_00A924A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A974BC1_2_00A974BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9A7031_2_00A9A703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9275B1_2_00A9275B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9EAE01_2_00A9EAE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A91BBD1_2_00A91BBD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A85CCD1_2_00A85CCD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A8DD781_2_00A8DD78
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A67FA91_2_00A67FA9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00AA3FCA1_2_00AA3FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A91F2F1_2_00A91F2F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9EF681_2_00A9EF68
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_066420501_2_06642050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_06647AC31_2_06647AC3
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_0664CD431_2_0664CD43
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_0664CD291_2_0664CD29
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_06DF20501_2_06DF2050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A412EC01_2_6A412EC0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4154601_2_6A415460
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A383A9D1_2_6A383A9D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3B6AD01_2_6A3B6AD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3E2B101_2_6A3E2B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A46FB001_2_6A46FB00
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4708C01_2_6A4708C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3EC8B01_2_6A3EC8B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3E18801_2_6A3E1880
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4249401_2_6A424940
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D29701_2_6A3D2970
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3F19501_2_6A3F1950
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A40EE501_2_6A40EE50
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A40BED01_2_6A40BED0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A409EA01_2_6A409EA0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D2F201_2_6A3D2F20
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A38DF401_2_6A38DF40
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A42AC101_2_6A42AC10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3EBC801_2_6A3EBC80
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A41CDE01_2_6A41CDE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3EC2101_2_6A3EC210
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A42B2201_2_6A42B220
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D72501_2_6A3D7250
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4262901_2_6A426290
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3F72D01_2_6A3F72D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4423A01_2_6A4423A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3810001_2_6A381000
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D50A01_2_6A3D50A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D40C01_2_6A3D40C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4231201_2_6A423120
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4156301_2_6A415630
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A42A6F01_2_6A42A6F0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D67201_2_6A3D6720
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D97101_2_6A3D9710
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A43F7001_2_6A43F700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A46F4301_2_6A46F430
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4194D01_2_6A4194D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D64801_2_6A3D6480
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3B65401_2_6A3B6540
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4225801_2_6A422580
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A46E5901_2_6A46E590
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A3D35E01_2_6A3D35E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBF9E1C1_2_6CBF9E1C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CC007381_2_6CC00738
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBF9A8E1_2_6CBF9A8E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CC002B01_2_6CC002B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CC063CE1_2_6CC063CE
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBFC3AC1_2_6CBFC3AC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_066487031_2_06648703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_06647E1C1_2_06647E1C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00AA534A appears 683 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6A3E7AD0 appears 108 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6A3E31A0 appears 87 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00A613B3 appears 501 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6A4E0A30 appears 50 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6CBF4460 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00AA78B5 appears 79 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6A42DE20 appears 55 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00A629F6 appears 54 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00AA5831 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 00A90AC0 appears 33 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: String function: 6A400440 appears 48 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 000F0AC0 appears 33 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 001078B5 appears 79 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 000C29F6 appears 54 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 00105831 appears 34 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 000C13B3 appears 501 times
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: String function: 0010534A appears 683 times
Source: nitro_pro14.exeBinary or memory string: OriginalFilename vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2947992871.0000000000DE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenamePageTransitions.dll@ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenameGalaSoft.MvvmLight.dllF vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenameNitroBA.dll< vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamembahost.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951420115.0000000006214000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameBootstrapperCore.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenamemetrics< vs nitro_pro14.exe
Source: nitro_pro14.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engineClassification label: sus25.evad.winEXE@3/51@1/1
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C2A4C FormatMessageW,GetLastError,LocalFree,0_2_000C2A4C
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C62C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,0_2_000C62C2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A662C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,1_2_00A662C2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,1_2_6A414060
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00107615 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_00107615
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000E864A ChangeServiceConfigW,GetLastError,0_2_000E864A
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Users\user\AppData\Roaming\NitroJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeMutant created: NULL
Source: C:\Users\user\Desktop\nitro_pro14.exeFile created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: cabinet.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: msi.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: version.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: wininet.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: comres.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: clbcatq.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: msasn1.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: crypt32.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: feclient.dll0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exeCommand line argument: cabinet.dll0_2_000C10E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: cabinet.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: msi.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: version.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: wininet.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: comres.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: clbcatq.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: msasn1.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: crypt32.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: feclient.dll1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCommand line argument: cabinet.dll1_2_00A610E1
Source: nitro_pro14.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nitro_pro14.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: nitro_pro14.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-convert.png
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-devices.png
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-customer-logos.png
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-edit.png
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-sign.png
Source: nitro_pro14.exeString found in binary or memory: resources/nitro-installer-office-scene.png
Source: nitro_pro14.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\nitro_pro14.exeFile read: C:\Users\user\Desktop\nitro_pro14.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\nitro_pro14.exe "C:\Users\user\Desktop\nitro_pro14.exe"
Source: C:\Users\user\Desktop\nitro_pro14.exeProcess created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680
Source: C:\Users\user\Desktop\nitro_pro14.exeProcess created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680 Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msvcp140_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msvcp140_atomic_wait.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: mfc140u.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: concrt140.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: msctfui.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: nitro_pro14.exeStatic PE information: certificate valid
Source: nitro_pro14.exeStatic file information: File size 2457960 > 1048576
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nitro_pro14.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: nitro_pro14.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source: Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source: Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source: Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source: Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source: Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source: Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source: Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr
Source: nitro_pro14.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nitro_pro14.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nitro_pro14.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nitro_pro14.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nitro_pro14.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: nitro_pro14.exeStatic PE information: section name: .wixburn
Source: nitro_pro14.exe.0.drStatic PE information: section name: .wixburn
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F0B06 push ecx; ret 0_2_000F0B19
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_0010CCD3 push ecx; ret 0_2_0010CCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A90B06 push ecx; ret 1_2_00A90B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00AACCD3 push ecx; ret 1_2_00AACCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_06635B25 push es; ret 1_2_06635B2A
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E0E28 push ecx; ret 1_2_6A4E0E3B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A382C10 push 89084589h; iretd 1_2_6A382C15
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBF44A6 push ecx; ret 1_2_6CBF44B9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CC06AE3 push ecx; ret 1_2_6CC06AF6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031A6590 pushad ; iretd 1_2_031A6591
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031A7590 push es; ret 1_2_031A75A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031AD5F0 push E8717814h; iretd 1_2_031AD5F5
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031AB440 push esp; retf 1_2_031AB449
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031A6B15 pushfd ; iretd 1_2_031A6B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031AAF4B pushad ; iretd 1_2_031AAF59
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_031AAF7B pushfd ; iretd 1_2_031AAF89
Source: NitroBA.dll.1.drStatic PE information: section name: .text entropy: 7.17009385214746
Source: metrics.dll.1.drStatic PE information: section name: .text entropy: 6.950457755326262
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dllJump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exeFile created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dllJump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exeFile created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeFile created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeMemory allocated: 4100000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A381A90 rdtsc 1_2_6A381A90
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,1_2_6A414060
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeWindow / User API: threadDelayed 405Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeDropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dllJump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\nitro_pro14.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\nitro_pro14.exeAPI coverage: 9.1 %
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0010506Bh0_2_00104FD0
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00105064h0_2_00104FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00AA506Bh1_2_00AA4FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00AA5064h1_2_00AA4FD0
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C3B2C FindFirstFileW,FindClose,0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A63B2C FindFirstFileW,FindClose,1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,1_2_6A4E1794
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000EFB9C VirtualQuery,GetSystemInfo,0_2_000EFB9C
Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnqZ
Source: C:\Users\user\Desktop\nitro_pro14.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\nitro_pro14.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeAPI call chain: ExitProcess graph end node

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A381A901_2_6A381A90
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A381B001_2_6A381B00
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A381A90 rdtsc 1_2_6A381A90
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000F84A7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,1_2_6A414060
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F9808 mov ecx, dword ptr fs:[00000030h]0_2_000F9808
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000FCF2C mov eax, dword ptr fs:[00000030h]0_2_000FCF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A99808 mov ecx, dword ptr fs:[00000030h]1_2_00A99808
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A9CF2C mov eax, dword ptr fs:[00000030h]1_2_00A9CF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBFDCB7 mov eax, dword ptr fs:[00000030h]1_2_6CBFDCB7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBFB3F1 mov ecx, dword ptr fs:[00000030h]1_2_6CBFB3F1
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C50E9 GetProcessHeap,RtlAllocateHeap,0_2_000C50E9
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F03A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000F03A9
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000F84A7
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F0874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000F0874
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F0A07 SetUnhandledExceptionFilter,0_2_000F0A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A903A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00A903A9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A984A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A984A7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A90874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A90874
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_00A90A07 SetUnhandledExceptionFilter,1_2_00A90A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E0B10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6A4E0B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6A4E0F75 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6A4E0F75
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBF44BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6CBF44BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBFAC7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CBFAC7C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: 1_2_6CBF42E6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CBF42E6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeProcess created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680 Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_00105CFE InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_00105CFE
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_0010801A AllocateAndInitializeSid,CheckTokenMembership,0_2_0010801A
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000F0C37 cpuid 0_2_000F0C37
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeCode function: GetLocaleInfoEx,FormatMessageA,1_2_6A4E14CD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Users\user\AppData\Roaming\Nitro\PDF Pro\14 VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000D6BA2 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,0_2_000D6BA2
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_001092A6 GetSystemTimeAsFileTime,0_2_001092A6
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C7E8C GetUserNameW,GetLastError,0_2_000C7E8C
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_0010BDED GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_0010BDED
Source: C:\Users\user\Desktop\nitro_pro14.exeCode function: 0_2_000C6E5B GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,0_2_000C6E5B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping12
System Time Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
Windows Service		4
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection		1
Software Packing		NTDS35
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets41
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Virtualization/Sandbox Evasion		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nitro_pro14.exe0%VirustotalBrowse
nitro_pro14.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll0%VirustotalBrowse
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll0%VirustotalBrowse
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll0%VirustotalBrowse
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll0%VirustotalBrowse
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll0%ReversingLabs
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll0%ReversingLabs
C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
desktop.gonitro.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://go.micro0%URL Reputationsafe
http://www.gonitro.com/en/support/privacy-po0%VirustotalBrowse
http://www.gonitro.com/0%VirustotalBrowse
http://wixtoolset.org/schemas/thmutil/20100%VirustotalBrowse
http://www.gonitro.com///support/privacy-policy0%VirustotalBrowse
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v0%VirustotalBrowse
http://wixtoolset.org/news/0%VirustotalBrowse
http://wixtoolset.org/releases/SCreating0%VirustotalBrowse
http://www.gonitro.com/services/linkredirector.aspx?lr_loc=en&lr_src=retail&lr_prod=Professional&lr_0%VirustotalBrowse
http://www.gonitro.com/services/linkredirector.aspx?lr_loc=0%VirustotalBrowse
https://desktop.gonitro.com/0%VirustotalBrowse
http://www.galasoft.ch/s/dialogmessage.0%VirustotalBrowse
https://downloads.gonitro.com/professional_14.29.1.0/en/retail/nitro_pro14_ba_x64.msi0%VirustotalBrowse
http://wixtoolset.org/releases/0%VirustotalBrowse
http://appsyndication.org/2006/appsynapplicationc:0%VirustotalBrowse
http://wixtoolset.org/0%VirustotalBrowse
http://wixtoolset.org/telemetry/v0%VirustotalBrowse
http://www.google.com0%VirustotalBrowse
https://wixtoolset.org/0%VirustotalBrowse
http://www.galasoft.ch0%VirustotalBrowse
http://www.gonitro.com/en/support/privacy-policy090%VirustotalBrowse
https://desktop.gonitrodev.com0%VirustotalBrowse
http://www.gonitro.com/en/support/privacy-policyx0%VirustotalBrowse
http://www.gonitro.com/en/support/privacy-policy0%VirustotalBrowse
https://desktop.gonitro.com0%VirustotalBrowse
https://desktop.gonitro.com/v14.29.1.0/events0%VirustotalBrowse
https://www.gonitro.com0%VirustotalBrowse
https://desktop.gonitro.com/M0%VirustotalBrowse
http://appsyndication.org/2006/appsyn0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
desktop.gonitro.com
104.16.123.109
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://desktop.gonitro.com/v14.29.1.0/eventsfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.galasoft.ch/s/dialogmessage.nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drfalseunknown
http://www.gonitro.com/nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://wixtoolset.org/schemas/thmutil/2010mbapreq.thm.1.drfalseunknown
http://www.gonitro.com/en/support/privacy-ponitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.gonitro.com/en/support/privacy-policy09nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.gonitro.com///support/privacy-policynitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.drfalseunknown
https://go.micronitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vnitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drfalseunknown
http://www.gonitro.com/services/linkredirector.aspx?lr_loc=en&lr_src=retail&lr_prod=Professional&lr_nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://desktop.gonitro.comhttps://desktop.gonitrodev.commetrics.use_dev_servertnitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drfalse
    		unknown
    http://www.google.com)WPDnitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.drfalse
      		unknown
      http://wixtoolset.org/news/nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drfalseunknown
      https://desktop.gonitro.com/v14.29.1.0/events=nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://wixtoolset.org/releases/SCreatingnitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.drfalseunknown
        http://www.gonitro.com/services/linkredirector.aspx?lr_loc=nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp, NitroBA.dll.1.drfalseunknown
        https://desktop.gonitro.com/nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://downloads.gonitro.com/professional_14.29.1.0/en/retail/nitro_pro14_ba_x64.msinitro_pro14.exe, 00000000.00000003.1689742811.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2948280651.0000000003400000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2947992871.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2950438684.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.drfalseunknown
        http://wixtoolset.org/releases/nitro_pro14.exe, Microsoft.Deployment.WindowsInstaller.dll.1.drfalseunknown
        http://appsyndication.org/2006/appsynapplicationc:nitro_pro14.exe, nitro_pro14.exe.0.drfalseunknown
        http://www.galasoft.ch4nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drfalse
          		unknown
          http://wixtoolset.org/nitro_pro14.exefalseunknown
          http://wixtoolset.org/telemetry/vnitro_pro14.exefalseunknown
          https://wixtoolset.org/mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.drfalseunknown
          http://www.google.comnitro_pro14.exefalseunknown
          http://www.gonitro.com/en/support/privacy-policyxnitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          http://www.galasoft.chnitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drfalseunknown
          http://www.gonitro.com/en/support/privacy-policynitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          http://www.galasoft.chNnitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.drfalse
            		unknown
            https://desktop.gonitrodev.comnitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drfalseunknown
            https://downloads.gonitro.com/professional_14.29.1.0/ennitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://www.gonitro.comnitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.drfalseunknown
              https://desktop.gonitro.com/Mnitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://desktop.gonitro.comnitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.drfalseunknown
              http://appsyndication.org/2006/appsynnitro_pro14.exefalseunknown
              https://go.microInitro_pro14.exe, 00000001.00000003.1696687450.0000000000E2F000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.16.123.109
                		desktop.gonitro.comUnited States
                		13335CLOUDFLARENETUSfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1533060
                Start date and time:2024-10-14 11:36:40 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 49s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:nitro_pro14.exe
                Detection:SUS
                Classification:sus25.evad.winEXE@3/51@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 127
                • Number of non-executed functions: 257
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                desktop.gonitro.comBuilding-Construction-Terms-With-Pictures.msiGet hashmaliciousUnknownBrowse
                • 104.16.119.102
                Medical-Engagement-Scale-Questionnaire.msiGet hashmaliciousUnknownBrowse
                • 104.16.119.102
                Fedex-Tracking-By-Shipper-Receipt.msiGet hashmaliciousUnknownBrowse
                • 104.16.158.102

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSDHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                EQORY0083009.vbsGet hashmaliciousAgentTeslaBrowse
                • 104.26.13.205
                https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46at*Mm*Ro3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp*_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbm*y4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v*7LR3jPEjz*YXr2LwuykYQnzvV6boWl*o*gU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_AGet hashmaliciousUnknownBrowse
                • 104.16.160.168
                Custom Export Tax Recovery Form.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 172.67.128.117
                Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 172.67.128.117
                TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 RFQ_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                • 188.114.97.3
                https://emojiparqueacuaticoo.site/NClMD/Get hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                file.exeGet hashmaliciousLummaCBrowse
                • 104.21.53.8
                http://puzzlewood.netGet hashmaliciousUnknownBrowse
                • 104.26.7.189
                http://www.umb-re.comGet hashmaliciousUnknownBrowse
                • 1.1.1.1

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                37f463bf4616ecd445d4a1937da06e19Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 104.16.123.109
                Snvlerier.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 104.16.123.109
                SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                • 104.16.123.109
                80BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                • 104.16.123.109
                C5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                • 104.16.123.109
                hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                • 104.16.123.109
                cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                • 104.16.123.109
                cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                • 104.16.123.109
                OceanicTools.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                • 104.16.123.109
                v.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                • 104.16.123.109

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dllhttps://5145542.fs1.hubspotusercontent-na1.net/hubfs/5145542/Knowledge%20Base/LD%20Software%20Downloads/5.9.1/LoupedeckInstaller_5.9.1.19364.exeGet hashmaliciousUnknownBrowse
                  https://5145542.fs1.hubspotusercontent-na1.net/hubfs/5145542/Knowledge%20Base/LD%20Software%20Downloads/5.9.1/LoupedeckInstaller_5.9.1.19364.exeGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exeGet hashmaliciousUnknownBrowse

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\Nitro_PDF_Pro_20241014053733.log

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):7570
                        Entropy (8bit):5.417403550389517
                        Encrypted:false
                        SSDEEP:96:VRJgGzruELeheSmleXeAue8A0eCN/z85cUwdDtNUpQ:V1ru52AqNb85cUuZNV
                        MD5:7AD3F18FB71F77403CF83FB6D24A78F8
                        SHA1:E4977D809683CAB7BBAE2B5C8B3F186E718ACDA1
                        SHA-256:4B1105928F9E5D23893E701565A9330A2575F3985BAEF418C5B2FFAB30E6E3E5
                        SHA-512:19EC7B3DD74D736B1F7C1C26B38992BBDC71EE4DEBF24567BF110953746B55578BD8B0F137113F553A402238D2CC647AEE0651E2F9F4CF67F3009A70BA4E5B9F
                        Malicious:false
                        Reputation:low
                        Preview:[1B84:1B88][2024-10-14T05:37:33]i001: Burn v3.14.0.8606, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'InstallLanguage' to value 'en-US'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'MajorVersion' to value '14'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'MSIVersion' to value '14.29.1.0'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'NPBROWSERPLUGIN_B' to value '0'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'OFFICEADDINS_B' to value '1'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'APPLICATIONPATH' to value '[ProgramFilesFolder]Nitro\PDF Pro\14'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'ExeFile' to value 'NitroPDF.exe'..[1B84:1B88][2024-10-14T05:37:33]i000: Initializing string variable 'installSize

                        C:\Users\user\AppData\Roaming\Nitro\PDF Pro\14\nitro_pro14-bugsplat-7044.log

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):88
                        Entropy (8bit):4.923539397091031
                        Encrypted:false
                        SSDEEP:3:9Hz6ZL4KsML3OVaOYFW4QWfgm75:9Hz6ZLD3iVoCYgm75
                        MD5:8C5423579A025011908A2E5397E1EEDD
                        SHA1:936F68CEA417350F3A9AB99EA719970736F047BD
                        SHA-256:A7AAB8EE5F7BD5326D6874329D96CEC8A359F7380DC4B80314CCC92242DB2394
                        SHA-512:C1B564EF6F2318C55910042E0F222D43C0FF0836023DD188AF45B4C27269D0B956E7E75DE092116C563C93AD40A6DAFDFB4257AE5A26ED1C8938B466240E5B31
                        Malicious:false
                        Reputation:low
                        Preview:06:53:35:407343 [t:7048] Sending metrics event: [ProBSLaunched] with status: SUCCEEDED..

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1028\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2025
                        Entropy (8bit):6.231406644010833
                        Encrypted:false
                        SSDEEP:48:cxX7DTAT8tMBCus9T3FVWmHdniarRFeOrw8Nhv2VyfN3mKNWFP44SBWWW1GyfiPq:8L4T2RJhfHP8+VYuTmQUc2mE
                        MD5:1D4B831F77EFEC96FFBC70BC4B59B8B5
                        SHA1:1B3ED82655AEC8A52DAEC60F8674BC7E07F8CFEB
                        SHA-256:1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
                        SHA-512:C6CCB188281F161DEBF02DCDDE24B77D8D14943DEED8852E77E5AFB18F3F62683AB1AE06DCEB1E09D53804A76DF6400A360712D8E7E228B7F971054BB4FB2496
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="zh-tw" Language="1028" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName] ...... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/passive | /quiet - ...... UI ............ UI ... ........... UI ........../norestart - ................UI ............./log log.txt - ............ %TEMP% ......</String>.. <Stri

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1029\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2458
                        Entropy (8bit):5.36165936198009
                        Encrypted:false
                        SSDEEP:48:cxX7DTZT8u9cktosM6re4mSTcIIyfI7sh/DMNwIHWAoN3mepNRfKPnWZ0hqAQZfC:8LxTK23f33AwIViRrRynRuZfiMS
                        MD5:CC8C6D04DC707B38E0F0C08BA16FE49B
                        SHA1:95EA7F570677AEA52393D02FDB21CEBB218A7343
                        SHA-256:DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
                        SHA-512:A4B19EBC8BB0D88ABA7D3D5783E28F8B6E0960582A540059BC71076B1203BF43BCA15EA726272D15395C7B4E431046ADA1CBB9D55072BBC5DBE7729C4599F0E0
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="cs-cz" Language="1029" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalace produktu [WixBundleName]</String>.. <String Id="Title">Pro instalaci produktu [WixBundleName] je vy.adov.no rozhran. Microsoft .NET Framework.</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da k instalaci</String>.. <String Id="HelpText">/passive | /quiet - Zobraz. minim.ln. u.ivatelsk. rozhran. bez jak.chkoli.. v.zev, nebo nezobraz. ..dn. u.ivatelsk. rozhran. ani ..dn. v.zvy. Ve v.choz.m.. nastaven. se jak u.ivatelsk. rozhran., tak i v.echny v.zvy zobrazuj....../norestart - Potla.. jak.koli p

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1030\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2286
                        Entropy (8bit):5.061915970731254
                        Encrypted:false
                        SSDEEP:48:cxX7DCrT81tbzjamsjFq7LhzqGgdRDJNbqoN3mpN+ELPnfyOwYxPyzraXnAF:8LaTOkaEOiGd/BwF
                        MD5:7C6E4CE87870B3B5E71D3EF4555500F8
                        SHA1:E831E8978A48BEAFA04AAD52A564B7EADED4311D
                        SHA-256:CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
                        SHA-512:2A02415A3E5F073F4530FD87C97B685D95B8C0E1B15EFD185CC5CB046FCF1D0DCE28DB9889AD52588B96FE01841A7A61F6B7D6D2F669EAB10A8926C46B8E93D1
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="da-dk" Language="1030" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installation af [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework skal v.re installeret i forbindelse med Installationen af [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Er du sikker p., at du vil annullere?</String>.. <String Id="HelpHeader">Hj.lp til installation</String>.. <String Id="HelpText">/passive | /quiet - viser en minimal brugergr.nseflade uden prompter eller.. viser ingen brugergr.nseflade og ingen prompter... Brugergr.nsefladen og alle prompter vises som standard...../norestart - skjuler fors.g p. genstart. Der vises som standard en.. foresp.rgse

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1031\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2442
                        Entropy (8bit):5.094465051245675
                        Encrypted:false
                        SSDEEP:48:cxX7DASTcCwit/soJy9hkVByUZN+29N3mfN65PS9CvZwZi7uuASD:8LxT8itGeVB97+gyC9BdaSD
                        MD5:C8E7E0B4E63B3076047B7F49C76D56E1
                        SHA1:4E44E656A0D552B2FFD65911CB45245364E5DBF3
                        SHA-256:631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
                        SHA-512:FD7E8896F9414F0DB7A88F926F55EE24E0591DA676F330200BC6BB829EB32648D90D3094E0011BFE36C7BA8BE41DFD74B12D444AFEA0D2866801258DA4FA16E8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="de-de" Language="1031" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <UI Control="InstallButton" Width="180" />.. .. <String Id="Caption">[WixBundleName]-Setup</String>.. <String Id="Title">F.r das [WixBundleName]-Setup ist Microsoft .NET Framework erforderlich.</String>.. <String Id="ConfirmCancelMessage">Sind Sie sicher, dass Sie den Vorgang abbrechen m.chten?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne.. Eingabeaufforderungen oder keine Benutzeroberfl.che und keine.. Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und.. alle Eingabeaufforderungen angezeigt...../no

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1032\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3400
                        Entropy (8bit):5.279888750092028
                        Encrypted:false
                        SSDEEP:48:cxX7D8jVT8dUk9Ug/usOo2pNSBIbESvR2drdESPzghC76DeN2hL0eLoN3mOLSNIx:8L45TCyop5riGzH7xgJit8IqSsBwqk
                        MD5:074D5921AF07E6126049CB45814246ED
                        SHA1:91D4BDDA8D2B703879CFE2C28550E0A46074FA57
                        SHA-256:B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5
                        SHA-512:28DAC36516BCC76BCC598C6E7ABDE359695F85AB7A830D6ADBC844EB240D9FA372CB5A5CE4DBE21E250408C6B246D371D3CDD656D2178FB0EC22DAC7D39CBD9F
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="el-gr" Language="1032" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">........... ... [WixBundleName]</String>.. <String Id="Title">... ... ........... ... [WixBundleName] .......... .. Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">..... ....... ... ...... .. ..... .......;</String>.. <String Id="HelpHeader">....... ... ... ...........</String>.. <String Id="HelpText">/passive | /quiet - ......... ........ ........... ... ............. .......... ...... ..... ........ . ... ..

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1035\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2235
                        Entropy (8bit):5.142592159444541
                        Encrypted:false
                        SSDEEP:48:cxX7DE+T8Z+bm5snwETMAoQEATN27uNBDReq4N3mJeNHNP64NsFKJJem4vyAs:8LZTDkZ7+2IBCht6J8neHs
                        MD5:E338408F1101499EB22507A3451F7B06
                        SHA1:83B42F9D7307265A108FC339D0460D36B66A8B94
                        SHA-256:B7D9528F29761C82C3D926EFE5E0D5036A0E0D83EB4CCA7282846C86A9D6F9F3
                        SHA-512:F7BE923DC2856E0941D0669E2DE5A5C307C98DC7EBA0A1B68728EB29C95B4625145C2AD3AC6F6B6D82F062887EA349E2187F1F91785DDE5A5083BC1150E56326
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="fi-fi" Language="1035" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] -asennus</String>.. <String Id="Title">Microsoft .NET Framework tarvitaan [WixBundleName] -asennusta varten</String>.. <String Id="ConfirmCancelMessage">Haluatko varmasti peruuttaa?</String>.. <String Id="HelpHeader">Asennusohjelman ohje</String>.. <String Id="HelpText">/passive | /quiet - n.ytt.. mahdollisimman v.h.n k.ytt.liittym.st.; ei.. kehotteita tai ei k.ytt.liittym.. ja kehotteita. Oletusarvoisesti.. k.ytt.liittym. ja kaikki kehotteet n.ytet..n...../norestart - est.. uudelleenk.ynnistysyritykset. Oletusarvoisesti.. k.ytt.liittym. kysyy ennen uudelleenk.yn

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1036\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2306
                        Entropy (8bit):5.076293283609686
                        Encrypted:false
                        SSDEEP:48:cxX7DyBT81BbKBswAL1xV1wjRcDSNwDXoN3mSZfNhkLPkQpznsdMEodAY:8LwTK5KHsijmEXY
                        MD5:AA32A059AADD42431F7837CB1BE7257F
                        SHA1:4CD21661E341080FB8C2DEFD9F32F134561FC3BA
                        SHA-256:88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
                        SHA-512:78E201F369E65535E25722DFC0EFE99EDF641F7C14EFF1526DC1CC047FF11640079F1E3D25C9072CF25F4804195891BE006FC5ED313063AFCB91FB5700120B88
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="fr-fr" Language="1036" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework requis pour l'installation de [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.tes-vous s.r de vouloir annuler.?</String>.. <String Id="HelpHeader">Aide de l'installation</String>.. <String Id="HelpText">/passive | /quiet - affiche une interface minimale sans invites ou n'affiche.. aucune interface ni aucune invite. Par d.faut, l'interface et toutes les.. invites sont affich.es...../norestart - annule toute tentative de red.marrage. Par d.faut, l'interface.. affiche une invite avant de red.marrer..

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1038\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2392
                        Entropy (8bit):5.293225307744296
                        Encrypted:false
                        SSDEEP:48:cxX7DwzT8cSwvs48mF7GD/g1v0wH7N3wwJxL99oN3m/ZNRUYPBZRT1XESW3o/ULG:8LQT2wpFGbgT3wMN2QRj/y/LKr
                        MD5:17FB605A2F02DA203DF06F714D1CC6DE
                        SHA1:3A71D13D4CCA06116B111625C90DD1C451EA9228
                        SHA-256:55CF62D54EFB79801A9D94B24B3C9BA221C2465417A068950D40A67C52BA66EF
                        SHA-512:D05008D37143A1CC031F4B6268490A5A10FBB686C86984D20DB94843BDC4624EF9651D158DCB5B660FC239C3C3E8D087EB5D23FFFB8C4681910CBC376148F0F0
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="hu-hu" Language="1038" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] telep.t.</String>.. <String Id="Title">A(z) [WixBundleName] telep.t.s.hez Microsoft .NET-keretrendszer sz.ks.ges</String>.. <String Id="ConfirmCancelMessage">Biztosan megszak.tja?</String>.. <String Id="HelpHeader">A telep.t. s.g.ja</String>.. <String Id="HelpText">/passive | /quiet - Minim.lis felhaszn.l.i fel.let megjelen.t.se k.rd.sek.. n.lk.l, illetve felhaszn.l.i fel.let .s k.rd.sek megjelen.t.se n.lk.li.. telep.t.s. Alapesetben a felhaszn.l.i fel.let .s minden k.rd.s megjelenik...../norestart - Az .jraind.t.si k.r.sek elrejt.se. Alapeset

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1040\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2304
                        Entropy (8bit):4.985260685429469
                        Encrypted:false
                        SSDEEP:48:cxX7DQyT81ebRcesyB+lY25ukVpkXJM2DJNXhpXZoN3mMhNTM+POYO/n1YxXlcI5:8LFTzLtkfwWKXHZi37MIDp
                        MD5:50261379B89457B1980FF19CFABE6A08
                        SHA1:F80B1F416539D33206CE3C24BA3B14B799A84813
                        SHA-256:A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
                        SHA-512:BBD9794181EEC95D6BE7A1B7BA83FD61AF2B2DF61D9DA8DDA2788B61BEC53C30FCEFE5222EDF134166532B36D3AB6CE8996F2D670DC6907C1864AF881A21EA40
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="it-it" Language="1040" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework necessario per l'installazione di [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida dell'installazione</String>.. <String Id="HelpText">/passive | /quiet - visualizza l'interfaccia utente minima senza istruzioni.. oppure non visualizza n. l'interfaccia utente n. le istruzioni. Per.. impostazione predefinita vengono visualizzate interfaccia utente e.. istruzioni...../norestart - elimina eventuali tentativi di riavvio. Per impostazione.. predefinita l'int

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1041\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2545
                        Entropy (8bit):5.923292576429967
                        Encrypted:false
                        SSDEEP:48:cxX7DpcYT86WyscLpTIFw6tnOUjsj/D3NIgHcQN3mKN/WPOhT0SXsDay+z8QZEcE:8L1TccOFw6tnOUjsjpICnlOO934apWz
                        MD5:DB0F5BAB42403FD67C0A18E35E6880EC
                        SHA1:C0A18C8C5BCD7B88C384B5304B56EEB85A0DA3DC
                        SHA-256:CCDCDB111EFA152C5F9FF4930033698B843390A549699AE802098D87431F16FE
                        SHA-512:589522BD4A26BF54CCF3564E392E41BBBA4E7B3FD1ED74E7F4F6AD6F2E65CDE11FFF32D0C5F3BCD09052FE5110FDC361D1926E220FD0BAD2D38CAC21BBE93211
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ja-jp" Language="1041" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ......</String>.. <String Id="Title">[WixBundleName] ........ Microsoft .NET Framework .....</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/passive | /quiet - ... UI ....................UI.. .............. .....UI ....................../norestart - ........................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1042\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2236
                        Entropy (8bit):5.97627825234954
                        Encrypted:false
                        SSDEEP:48:cxX7D3sT8ZeusKOwOWGyKCstFmhENI2Y+kN3mp4iNmi6IPa0dDaoIunvZqIHU5UH:8LQTXvRFhIzl44wmgko04U5TY
                        MD5:442F8463EF5CA42B99B2EFACA696BD01
                        SHA1:67496DB91CBAA85AC0727B12FC2D35E990537DAC
                        SHA-256:D22F6ADA97DBFFC1E7548E52163807F982B30B11A2A5109E71F42985102CCCBD
                        SHA-512:A350EAF9E7AEAFAB1163D7C0B8D014AFE07EE98BAE3915CBDD3C26282E345A0838E853C89BAE8943474758DCBCFD0BB0724A0C75CBF969F321FAB4944E8704FD
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ko-kr" Language="1042" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName] ... ... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/passive | /quiet - ... .. .. UI. ..... UI. .... .... .... ..... ..... UI . .. .... ........../norestart - .. ..... ... ...... ..... UI. .. .... .. .... ......../log log.txt - .

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1043\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2312
                        Entropy (8bit):4.965432037520827
                        Encrypted:false
                        SSDEEP:48:cxX7DK1T8u7hbU7Asd7MqpSwzCcHGFN9OsNN3mvoNBC7hPFtO7+xw7t0Yza2Al:8LcTtpGLFSwJHmPnnKhEBtsl
                        MD5:67F28BCDB3BA6774CD66AA198B06FF38
                        SHA1:85D843B7248A5E1173FF9BD59CB73BB505F69B66
                        SHA-256:226B778604236931B4AE45F6F272586C884A11517444A34BF45CD5CAE49BE62E
                        SHA-512:7BC7D3E6E19ECF865B2CABFC46C75D516561D5A8A81A8ED55B4EDBA41A13A7110F474473740200AFB035B9597A2511D08C2A2E7A9ADE2C2AB4D3F168944B8328
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="nl-nl" Language="1043" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installatie</String>.. <String Id="Title">Microsoft .NET Framework is vereist voor installatie [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Weet u zeker dat u de installatie wilt annuleren?</String>.. <String Id="HelpHeader">Help bij Setup</String>.. <String Id="HelpText">/passive | /quiet - geeft een minimale gebruikersinterface weer zonder prompts.. of geeft geen gebruikersinterface en geen prompts weer. Gebruikersinterface.. en alle prompts worden standaard weergegeven...../norestart - pogingen tot opnieuw opstarten onderdrukken... Gebruikersinterface vraagt standaard al

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1044\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2171
                        Entropy (8bit):5.089922193759582
                        Encrypted:false
                        SSDEEP:48:cxX7DTeT8uUbnFdsLnFHv+Gpm1qL5DQNDDaoN3mpZfN15dPnfuOOg5wZ5uAq8fAS:8L+Tec1x8Siule4S
                        MD5:5454F724C9CDAB8172678A1CC7057220
                        SHA1:241A57018ACE1210881583A9CF646E7D2E51412F
                        SHA-256:41545AC1247B61C3C3E2A7E4659D9FAD2BCCA8347C69F2EB7B9D0CF5FC31E113
                        SHA-512:40E311EADA299996E32A7D35223CA678A03C869D63C023D59BC97A7B2049B0252AA9D0A7EC8558D5ACB73BD14C7BFA913097E65ABEE7455658DB7E35BBDA8AE1
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="nb-no" Language="1044" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installasjonsprogram</String>.. <String Id="Title">Microsoft .NET Framework kreves for [WixBundleName]-installasjon</String>.. <String Id="ConfirmCancelMessage">Er du sikker p. at du vil avbryte?</String>.. <String Id="HelpHeader">Installasjonshjelp</String>.. <String Id="HelpText">/passive | /quiet - viser minimalt brukergrensesnitt uten ledetekster, eller.. ikke noe brukergrensesnitt og ingen ledetekster. Som standard vises.. brukergrensesnitt og alle ledetekster...../norestart - undertrykker alle fors.k p. omstart. Som standard sp.r.. brukergrensesnittet f.r omstart.../log log.txt

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1045\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2368
                        Entropy (8bit):5.270514043715206
                        Encrypted:false
                        SSDEEP:48:cxX7Du4OT82gXusarwkfpYrKD8DTNkbNuoN3mjbsNniIPh8ynN1NYd4iYuffAL:8LKTsXgpYr2IyoiiOffpT3L
                        MD5:96ACAAA5AEF7798E9048BAFF4C3FA8D3
                        SHA1:E76629973F6C1CFC06F60BA64FE9F237B2DB9698
                        SHA-256:F4AA983E39FB29C95E3306082F034B3A43E1D26489C997B8E6697B6A3B2F9F3C
                        SHA-512:964F73E572BDCB1AD946C770E6A2FB4A1CE54AF4B5BB072F64256083BA27A223F4DAD4A95B9D2A646180806D1F977726147970B06AAC35EED75AEC6CA89ED337
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pl-pl" Language="1045" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalator programu [WixBundleName]</String>.. <String Id="Title">Do zainstalowania programu [WixBundleName] jest wymagany program Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Pomoc instalatora</String>.. <String Id="HelpText">/passive | /quiet - wy.wietla minimalny interfejs u.ytkownika bez monit.w.. lub nie wy.wietla interfejsu u.ytkownika ani monit.w. Domy.lnie jest.. wy.wietlany interfejs u.ytkownika i wszystkie monity...../norestart - pomija wszelkie pr.by ponownego uruchomienia. Domy.lnie.. interf

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1046\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2147
                        Entropy (8bit):5.130635342194656
                        Encrypted:false
                        SSDEEP:48:cxX7DuoT85b0s/4TDoYDj4NF5j2hN3mMNYskPDXKIMaKcP9A5g:8L1TmBHjs59M8r6
                        MD5:BD39ADB6B872163FD2D570028E9F3213
                        SHA1:688B8A109688D3EA483548F29DE2E57A8A56C868
                        SHA-256:ECB5C22E6C2423CAF07AEBE69F4FAF22450164EEE9587B64EF45A2D7F658CA15
                        SHA-512:F2826BE203E767D09FF0D7677E1CF5B13113B773D529166DAE02A1F5DB2DC58E0856A34901DF70011EBABB6E964FAB7ACF38590E650BD629D4E4DC4CB36C8D45
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pt-br" Language="1046" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">Microsoft .NET Framework . necess.rio para instala..o do [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/passive | /quiet - exibe UI m.nima sem avisos ou exibe sem UI e.. sem avisos. Por padr.o a UI e todos avisos s.o exibidos...../norestart - suprime qualquer tentativa de reinicializa..o. Por padr.o a UI.. ir. solicitar antes de reiniciar.../log log.txt - logs para um arquivo espec.fico. Por padr.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1049\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2880
                        Entropy (8bit):5.408094213063887
                        Encrypted:false
                        SSDEEP:48:cxX7DkTT8fjtEeusogrohY2Ar7DHNnjTh53oN3miRMNKrdPin+/uYcbSkuEIcOvG:8LYT8EeHMMJRNi1Ruwi3OwL
                        MD5:DAF167AF4031EF47E562056A7D51AA73
                        SHA1:0156B230CADD6169AC2820865E3C031ED79785EF
                        SHA-256:C91C9E87AB4A6DB078F1991F4A2CDC726B58A40E47BCE49D39168A8F8F151C3B
                        SHA-512:5E87EE3838E3595ADBD7EABA6E3E33CDFEA5E15ED716FBCCDBD55235B3E53E1E41EA5A907F425E96C35167543C7F75AC5214B5AEE177D299FC2464A68B22851E
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ru-ru" Language="1049" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">......... [WixBundleName]</String>.. <String Id="Title">... ......... [WixBundleName] ......... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.. ............. ...... ........ ........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/passive | /quiet - ........... ............ .. ... ........ ... ...... ... .. .. . ............ .. ......... ............ .. . ... ......

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1051\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2701
                        Entropy (8bit):5.416644976437225
                        Encrypted:false
                        SSDEEP:48:cxX7D+cT8muPusz2qs1u+Vh1TqDINHZJoN3m8fN0vPp3OAwa2ywSODAubHK/TAB9:8L1TuPdKNzfifFmcat0K/V4bd
                        MD5:776CDF9B481F0E857758E9BE2771AFDE
                        SHA1:06C320749964BB4107815D88A37C7451AE4284BF
                        SHA-256:63EC83F825844C8F568130FA0CA5FC72266B2F55196769327024E66E04CA2483
                        SHA-512:18B82E8CA973644A571A769E7E5B29832870AEA705BB67601B2E0BA3E3830BFD5547F08C19B8044859E12EBE5F1077CBF1C4E1DE27D6C1C3931C4A3AA2E3C899
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sk-sk" Language="1051" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] . in.tal.cia</String>.. <String Id="Title">Na in.tal.ciu aplik.cie [WixBundleName] sa vy.aduje s..as. Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">Naozaj chcete zru.i. oper.ciu?</String>.. <String Id="HelpHeader">Pomocn.k pre in.tal.ciu</String>.. <String Id="HelpText">/passive | /quiet . zobraz. minim.lne pou..vate.sk. rozhranie bez v.ziev alebo.. nezobraz. .iadne pou..vate.sk. rozhranie ani v.zvy. Predvolene sa.. zobrazuje pou..vate.sk. rozhranie aj v.etky v.zvy...../norestart . zru.. v.etky pokusy o re.tart. Pou..vate

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1053\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2132
                        Entropy (8bit):5.1255014007111495
                        Encrypted:false
                        SSDEEP:48:cxX7DviT8NFLbu9sM2vECjf26axBZYXcqADCNKTbkoN3maT6NWOjEXPauOOKYnhf:8LmTAcRnQXFPK0iHMsfb2Ws3M
                        MD5:D95E81164C57B6FD75E7C3022454192E
                        SHA1:5D5ACBC56E7078AF4D04C45B78C0FF090C02EE6A
                        SHA-256:6DD61CC6B87B53EAF28430068A2A459730FD4B2BCF876CCDF040212D04C4FE7D
                        SHA-512:9E4BA81A145574818DD6A1F1D0EC38EA1629C7771919C35923F440E31EA9912E1630D94FCDB82B71104EBD61D0321DCDF935BA20D69988EE6E9B22259186AF0C
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sv-se" Language="1053" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName]-installation</String>.. <String Id="Title">Microsoft .NET Framework kr.vs f.r installation av [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Vill du avbryta?</String>.. <String Id="HelpHeader">Installationshj.lp</String>.. <String Id="HelpText">/passive | /quiet - visar ett minimalt anv.ndargr.nssnitt utan prompter,.. alternativt inget anv.ndargr.nssnitt och inga prompter. Som standard visas.. anv.ndargr.nssnitt och samtliga prompter...../norestart - hejdar omstart. Som standard visar anv.ndargr.nssnittet en.. prompt f.re omstart.../log log.txt - skapar logg till

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1055\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2303
                        Entropy (8bit):5.2754753523795275
                        Encrypted:false
                        SSDEEP:48:cxX7DNcYT8anOSMsHEqGpcBztpvrJlrs2ZmNI2+Yo6irN3m22NFcPc+4Trzrdgc7:8LZHTE7APaTI9sq6yEbgg
                        MD5:01B200E06BA600A4EF00C00F7AAC5CE4
                        SHA1:22234426C42637E069A46217019551E4434A4AB6
                        SHA-256:06BFB6DFBC38105C699DEA226A029DF3EF673C33E4B8928DC4EC7FB8F761487D
                        SHA-512:8BDCF7533A6BCFA231B42A7EF845A70C7535FBF607D62FF6404928D5941BA6AFBF139450A1A1B58C65FACF88DC0785AEC4ABEFBCC803466A58B1930F7C468CDD
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="tr-tr" Language="1055" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName] kurulumu i.in Microsoft .NET Framework gerekir</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/passive | /quiet - komut istemi olmayan olabildi.ince k...k bir UI.. g.r.nt.ler veya komut istemi ve UI g.r.nt.lemez. Varsay.lan olarak UI.. ve t.m komut istemleri g.r.nt.lenir...../norestart - yeniden ba.latma denemelerini engeller. Varsay.lan.. olarak UI yeniden ba.latmadan .nce komut isteyecekt

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1060\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2200
                        Entropy (8bit):5.1485120966265
                        Encrypted:false
                        SSDEEP:48:cxX7DZ0T8obZsw9g5gS56K97D7NCt2VoN3mQXNJPOhP58vqc1qwueo3RAL:8LyTLlS9h9hCtsihdxOh+NL
                        MD5:5836F0C655BDD97093F68AAF69AB2BAB
                        SHA1:B6842E816F9E0DCC559A5692E4D26101D10B4B16
                        SHA-256:C015247D022BDC108B4FFCAE89CB55D1E313034D7E6EED18744C1BB55F108F8C
                        SHA-512:640A79D6A756E591AD02DDCCC53BC43F855C5148B8CBB5CE6C1CAF5419CA02F7B2AFF89CCA4C056356814D3899EF79BF038B4E8B4B79EB85138A3CEDCCE93E5B
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sl-si" Language="1060" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Namestitev</String>.. <String Id="Title">Microsoft .NET Framework, potreben za namestitev paketa [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Ali ste prepri.ani, da .elite preklicati?</String>.. <String Id="HelpHeader">Pomo. za namestitev</String>.. <String Id="HelpText">/passive | /quiet - prika.e minimalni uporabni.ki vmesnik brez pozivov ali ne prika.e.. uporabni.kega vmesnika in pozivov. Privzeto so prikazani uporabni.ki vmesnik in.. vsi pozivi...../norestart - skrije vse mo.nosti za vnovicni zagon. Privzeto uporabni.ki vmesnik.. prika.e poziv pred ponovnim zag

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\2052\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1980
                        Entropy (8bit):6.189594519053644
                        Encrypted:false
                        SSDEEP:48:cxX7DjQT8tOBousi+zq+frUR2ropNV2rfN3msNUqPPT9T+DwZ9f5wDTAV:8L4TGUGw3V8N3RykV
                        MD5:A34DCF7771198C779648B89156483E83
                        SHA1:A6E0FA91CD50048511C7BEF1BE3A8D32B42B6D1F
                        SHA-256:89C559C6765F8D643469E3C8F4AA93023F09369B0395EA647FAD5AF3C2893EB6
                        SHA-512:0F1D7BC4FD64E18EEEC488CDCE01FB6BFA5CD3BFF614A8D03E388D39F569B8341E74302946877EB25BA1EB17AEC137499189605E251FAFB6B20051744CB463B1
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="zh-ch" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName] .... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/passive | /quiet - ..... UI .......... UI ... ........... UI ........../norestart - .............. UI ........../log log.txt - .............. %TEMP% ........</String>.. <String Id="HelpCloseButton"

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\2070\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2211
                        Entropy (8bit):5.1155097909395035
                        Encrypted:false
                        SSDEEP:48:cxX7DbT8QGls54nK3znI5zKDj4NLkdoN3mMNYsEPbpK2Aegeu9A5g:8LXTUasJnYdi59som6
                        MD5:8A278E519EF81B2847490EFB070219BC
                        SHA1:7365EDF6E4F9E66B6CEE47933B6C70FF0B9ECFF8
                        SHA-256:E2BFDB2CF3BEAE2E988827C52C58006D7EEAD4ABA5312B5EAE1F6CCF3863C385
                        SHA-512:88275C1136FFB15AB04D315E8601BE2DE77387F3E00F17E9807E415A9DFC4A73E2CD3B5710E4CA58006F91E18180D7CFAEEF4E8319C624E1B81397F9CB9ECA92
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pt-pt" Language="2070" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Configura..o do [WixBundleName]</String>.. <String Id="Title">O Microsoft .NET Framework . necess.rio para a configura..o do [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem a certeza de que pretende cancelar?</String>.. <String Id="HelpHeader">Ajuda da Configura..o</String>.. <String Id="HelpText">/passive | /quiet - apresenta IU m.nima sem mensagens ou n.o apresenta IU nem.. mensagens. Por predefini..o, s.o apresentadas a IU e todas as mensagens...../norestart - suprimir qualquer tentativa de rein.cio. Por predefini..o, a IU.. avisar. antes de reiniciar.../log log.txt - r

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\3082\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2400
                        Entropy (8bit):4.992567587099768
                        Encrypted:false
                        SSDEEP:48:cxX7DLT8/OusS2V8j4Lq+7dKzCLdqaaD6NJaXFoN3mRNLo3PWKWnRcsB9A8:8LfTz+8EPqKqTJiFikUgk8
                        MD5:1024AA88AE01BC7BA797193CC6023375
                        SHA1:9252A309C1CB32573F4D58A595A78660FDF54B2F
                        SHA-256:B884C4ABB8867553C1FFADD6721C2135EC5F9F1455C3F668D711CCEA65363D1A
                        SHA-512:77E6DD332104C0461B7C5A08469161AF3F1DC51D3B55585D39DD9FC9E2088DA036BDF2278CFB96CA702FD26CE073C6C6F66611313270700B9E7A76600C1C8E38
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="es-es" Language="3082" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">La instalaci.n de [WixBundleName] requiere Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda del programa de instalaci.n</String>.. <String Id="HelpText">/passive | /quiet - muestra una interfaz de usuario m.nima y no realiza.. preguntas, o bien no muestra interfaz de usuario y no realiza preguntas... De manera predeterminada se muestra la interfaz de usuario completa y se.. realizan todas las preguntas necesarias...../norestart - suprime cu

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\AcceptandInstall.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 150 x 78, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):5288
                        Entropy (8bit):7.866967662563204
                        Encrypted:false
                        SSDEEP:96:KSpZi1MNnHT/Js2df+DQ1xOp+CVD/rTU5oEi:JmMNnzhsOGDQ1xYdVjrT7
                        MD5:C8B587DF6BDA0EB187B61EA58E8A4289
                        SHA1:0A1513713AF8EE96BC7B0B3A53D33EE748A76B29
                        SHA-256:9ACEBA458711CA6C4039A518E033F99AF8CA22A1CBAE4901B6EA819F4FE01D02
                        SHA-512:BAAF7C164E527F29501817FF7E92E004761D153E8516577F14CE031BA0BA6AD2369EC10E366D91BD08D50C23EE9825835A63785831D6633F430C61BF56C6D5A1
                        Malicious:false
                        Preview:.PNG........IHDR.......N.....M.x.....tEXtSoftware.Adobe ImageReadyq.e<...oiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmpRights:Marked="True" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:8E0F2001312411E3A20BADE12FFA48D6" xmpMM:DocumentID="xmp.did:8E0F2002312411E3A20BADE12FFA48D6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8E0F1FFF312411E3A20BADE12FFA48D6" stRef:documentID="xmp.did:8E0F2000312411E3A20BADE12FFA48D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..|^....IDATx..\.tT...s.l..L...Y.C..bR..D.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Background.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 485 x 300, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):1695
                        Entropy (8bit):5.33494873831028
                        Encrypted:false
                        SSDEEP:12:6v/7jlMbLbvdQnZWvymRmVt55iDVOceXwy8ZvbVYFapjC:KlMbLDe55iDVAXO8Fac
                        MD5:45ED44A4086556AF0279B0845347941A
                        SHA1:E72FE90738D1D9E7E2AC4C563A8E2AF49A84A124
                        SHA-256:0253ACAFF4FE1EC6FB5E4F93A4FA6C6CF8DD42775F90E69DA945326AA9072743
                        SHA-512:6D18B634CBCE51CB992715411C3D9C5470F29A91579890AE9870DB745D9606B5DE7542793C65BFD25DED2A09974D19F6B2F05FF45339EABF20BCF4A52C9EB6B5
                        Malicious:false
                        Preview:.PNG........IHDR.......,............pHYs..........+......tIME........m$....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'...jIDATx.....@.@.......Z@.....?.x..}......y....?.....6.._>}.z....}.....c.z....(.@.(.@.v.%.:....i.Dy....p..xUK...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e...e.......d_..(.......~....."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D.."D..".....;..yx&..p.e>/........Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q...Q

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperApplicationData.xml

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (609), with CRLF line terminators
                        Category:dropped
                        Size (bytes):4654
                        Entropy (8bit):3.739571649345569
                        Encrypted:false
                        SSDEEP:96:XpwMWhn6wdVU4ycHn6OokU0wEuycPYLwM7DsB7PO2u0L9N3:Xa3DE0lDOAc8o99
                        MD5:BE61B0C2D38624DD0BE199A98E3DD425
                        SHA1:48F64FDBEEA597DF7B2948D0D41BFF7D36E411DD
                        SHA-256:FDC9187CCD279623D101179B6954B7F61A1DE868FBA888C8A551AEB961A9A44D
                        SHA-512:FB8A7F7AF4B5941A91B902047028F63768B9555265791F55DDD4342AE59F1D84956B382B47E42662FB24AAB84B3600C9FC5CF9A1C47F335DF3FBC4FD3C5CB5A6
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".N.i.t.r.o. .P.D.F. .P.r.o.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.f.7.3.2.7.6.5.5.-.e.1.1.8.-.4.9.7.9.-.b.f.4.d.-.4.5.9.b.2.b.0.7.2.a.2.a.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.7.0.9.C.6.4.8.1.-.3.F.1.9.-.4.E.D.D.-.A.5.F.F.-.D.D.F.7.F.7.5.5.C.5.6.3.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.M.b.a.P.r.e.r.e.q.I.n.f.o.r.m.a.t.i.o.n. .P.a.c.k.a.g.e.I.d.=.".N.e.t.F.x.4.8.R.e.d.i.s.t.". .L.i.c.e.n.s.e.U.r.l.=.".h.t.t.p.s.:././.r.e.f.e.r.e.n.c.e.s.o.u.r.c.e...m.i.c.r.o.s.o.f.t...c.o.m./.l.i.c.e.n.s.e...h.t.m.l.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.config

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):784
                        Entropy (8bit):4.884911161206282
                        Encrypted:false
                        SSDEEP:12:MMHd41Gqt7lzc+TXYr+XF69bWzc+TXYcXIhuGsVymhsSsrkOJ9OT3XWGrX7D7XRQ:Jdi7RtYrx9itYxmhyrkYu3G0HG3F
                        MD5:54C6A3735B709267FF8500704C086B65
                        SHA1:82D8C0DA44F58694DE287AD77D0D88D073838DC9
                        SHA-256:8C128F1E877E4679FD2611764C0EF1BBCA1FFF7F635BEB0AE553EF2CA3E9C89E
                        SHA-512:74EFFA7C69996FC646BA12B7F5455545E932265BECF2647B2527F31018C34C736E4C1CB48AB781A540D56754C9BF6639EDEDB93786FCAABE15814E0F159953C0
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <sectionGroup name="wix.bootstrapper" type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperSectionGroup, BootstrapperCore">.. <section name="host" type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.HostSection, BootstrapperCore" />.. </sectionGroup>.. </configSections>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/>.. </startup>.. <wix.bootstrapper>.. <host assemblyName="NitroBA">.. <supportedFramework version="v4\Full" />.. <supportedFramework version="v4\Client" />.. </host>.. </wix.bootstrapper>..</configuration>..

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):93968
                        Entropy (8bit):5.860629518464851
                        Encrypted:false
                        SSDEEP:1536:2HMBp/GRbgi5ofpiG2pq+51UogbJPi6xD:2uUbV5jlq+51UoWJPp
                        MD5:60EAFF04CFA5EDD04B05E61C1F4D6E7E
                        SHA1:35F69F0487653A5992564EF13387449CC63990B5
                        SHA-256:139E767080FCDD816A19E664ECE9E15769451D924D99288441607065CC928A8C
                        SHA-512:17506D40F29CC1321290310CA62BE116ADDC19B7E2D5CF7EEB6C55F91C36BECED51D71A0F29C6EBFD6B7A88205F2FA2CC6DF7EA3B2C6017D3EA13EA2D50F1B36
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 0%, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........." ..0...... ........... ...@....... ....................................@.................................`...O....@...............@.../...`......(-............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Cancel.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 62 x 78, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2335
                        Entropy (8bit):7.816383571389476
                        Encrypted:false
                        SSDEEP:48:Us1DrqK7vqr2/Vo62GtAyhql5d2Yp/LjLkUZSCv:UshnY2Szd2+TjLxv
                        MD5:D400C5ED0015DC2B01583335D71D2B92
                        SHA1:57B16DA34212D6477EE442B9C142A0C7807820C2
                        SHA-256:58FDB02764D28B307C689A7CCDC0E63A817A55FD0A681CDCDB53902092079FFC
                        SHA-512:FAFB56BD22DFEAA0C84914766A09E708898F9E9CF5B406584DA75877716798AB4928AA08DCE8109FCE3FE9814516F0D8B3B3271D1817337C86117BDC4D874D53
                        Malicious:false
                        Preview:.PNG........IHDR...>...N.....x.....pHYs..........+......tIME......:........tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'....IDATx..}lS.....Nb'..q.....a....QP.P2...L...A.v....C....6.HC..!D..6..-.M.[)c..Q.Mg.G.B..8.M...?.Or#._#7A.~...=.....=.+.s..O3.Fa..j.c.~...-..'..-b...W.1.JC...>.U.K2.<+.o.....ki...{!.b...z.vl.;V.q.>.I..HLK...Y.iN...|:... .x...8_..>.C....`.U....'eXI/....%.Ca.:.on.J..@........t......H.=.....{.\...s'.;./.........zV....>7....g....si.2...9. ....U.1c....+.....y5...Z..T `,.p....(..k...u....38. ..l.n.@..7H..w|..W...o...9....M.."....9 ..e.*m2...$..5...I....I.VF...+E.u.>..~]LL$D\..08U{..$qw...k.6...Jb....Y..|4.c.....h.e.{...Cc..m%eX...{x..9. ...iN...g."6..SV......;.....X...S.B.c..........Y.}N..*V0bB.S....W..LsJ.u0m!P.G.],[L....\#)X..3I{.{!cj}*...I.G...x_K#..`R.>..._..v..~..Cb..\..

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Close.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 62 x 78, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2130
                        Entropy (8bit):7.7997464594754335
                        Encrypted:false
                        SSDEEP:48:UYDjUSNmzpT2a78P3DJpJNdH/ImLx48VjLe9MK91AM9:UG4SNmzpK0G3D/Kyx4yj5K9
                        MD5:E211D859CAEAE68D3135DB78D754A0BA
                        SHA1:E3719086F5E6270C72C181D655234824287B787C
                        SHA-256:CECDAC9F2358D06E67C181E929454736FAB231959DE82B20057B627E871BAF1B
                        SHA-512:9036C98039236265713B8DDED27F6706A704D3A31D79105081F3FE06C30374A51E75ACE97E3C2EFCEF5DF552CFB037838910A0D343BFD7D786014666C884561B
                        Malicious:false
                        Preview:.PNG........IHDR...>...N.....x.....pHYs..........+......tIME.........*.....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'....IDATx..mL[......l..W.&.Q.$.l. .ReC.K+5a.S..[K..X..lk.K..Ue]HH.M....4/.....d....."K..]hJ(!@.!.c.6/6....`.}g@....9W.....s.su.U5n2.Aa..5@r.~.CY\Flv.-u.KE...W..5..#J/{...KE{.:.{?.6....X[S.x_..........q.>...g.IJ.m.C.a[...<.?i...d<m.....=..n....;........I)(..:?..2{y.....2..1.....u....}..5...z.....s....w9.A..^"..P,.i...g...YSZAge1cm.$m}t.V..-\~<...a[.Y.G.j.......I..0...(...m.|....LbS.x.N..}.....MI{..Z.e........!.YU=..9yDi.1...u:.]l<s..r.z...C.....g..W..'o[......J..x.6:........O..../.go..".Twv_e.:...{B.`.....f~........6..'.....{.6>.y......P...3."....................~..-....u..?.6.C~..A..p'...."/...}..W.*..(.......N.[.H.x.6..&kk.I.\0G+...=t.."'0J$b\i(..|UNi({..'.u..Jg.rg

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\CloseWindow.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 20 x 60, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):868
                        Entropy (8bit):7.301581631592034
                        Encrypted:false
                        SSDEEP:12:6v/7Mu02bvdQnZWvymRmWseg3lmNzWEJxLKGwnNBdZN9qpLH17XTsH+1qDdMl8vS:hu02DAwNz5NKpX992LVrTFcdx76NJ
                        MD5:70F5477CB81DBD0EAA48A73FD2440AA4
                        SHA1:8FD544E99411FBCDEE262DC06ACB749C627EDD2F
                        SHA-256:589CF70ED7996DCF5DFDE3C4CF7866B262BB4A31F5955BD7B9A072DEF25C52C4
                        SHA-512:CAF3538135014718765DD7CD6E7602C49BC43C8120C67FA4A41C34C31F73FC4EE54C402F7A4A2E3BABBBE54FAFE6E5115E02DA0B8512B23255047CCA51675C83
                        Malicious:false
                        Preview:.PNG........IHDR.......<.....fv.V....pHYs..........+......tIME......"@.s.....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.../IDATX..K.a......EA. ...I..).[7m.i.%..$X.!..,5C......C.P....?...C..h.%. ..%?....q.........<|......i..r..{....w.Y.q...Y...o.]=..d.>8.^...SBY.....d.L.~...z....x.*.^N.......D C.C...Oj...8.34oJm.F...1 ../.p.].k"..x8=A..;...h-..Q_X...f...D...ATr1.jU.../.F..\L-.^ ..S..U...~..+...\.f'....@M..).....\..i*..+..(,......&!....~..)..C5,.m<S...dW...m..Ko.@.r6H5...!1S..iZ..c...\%f.V=a...LA:j|B...i\..D.t..d.(..j...L!.)A...u6.M..R@.6.0.h..m.....@d.......O..J...g.9.x.\..dW...D..;..._.^S.!...3.....t.)...E2%.1>.B.......P...p.(..j...L!.)A...u6.M..R.G]< `........IEND.B`.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):42872
                        Entropy (8bit):6.412246654902673
                        Encrypted:false
                        SSDEEP:768:2vmt6h5kXsXhQag/9k9/D39cGliOg07rMQ/UKPKzXKMBr3xLA6s6Y0F2LYZAMxkE:nt6hosXhQag/9k9/D39cKiOzpWBlLA5U
                        MD5:7A6B482FD8928603FAFE747BE73EFB31
                        SHA1:AB8C16D9DE29FAFB4954F805E292CF58EF68C39D
                        SHA-256:7E650417A9FDC339D6628E2CDAC36AD84A6E372742A53DE4022B2F857CA068AC
                        SHA-512:017E0FFD2B5D04D67402986DA2348100C2A567447B3646420CF796D36AE7FB021E2DB89D7242614A2EDFC9447C873991E204E9428D14626DCAA619FC2F018AA5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 0%, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....wZ.........." ..0..n..........J.... ........... ...................................@.....................................O.......h............x..x/........................................................... ............... ..H............text...Pm... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............v..............@..B................,.......H........;..HO..................@........................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..{....*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..{....*....0..p.......s.......}2....(......{2...(....-N..{2...o.....(....,:.u......,..o....(...+.......s....(...+,.*r...p.{2...s....z*.0...........{......,....s ...o!...*.0......

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):188184
                        Entropy (8bit):5.9597699311885055
                        Encrypted:false
                        SSDEEP:3072:xGfZS7hUuK3PcbFeRRLxyR69UgoCaf8Y/CnfKlRUjW01Ky/hP:tzMRLkR6joxfjG
                        MD5:A4D3EAF44156AB27772E2CF99033ED64
                        SHA1:BD28431730BEA4908D2EA728EA70CCF48DEBC5D8
                        SHA-256:ABE1742945A10588376CD127771C3D5F3F0579D4FF1BDE15C41A494451D89444
                        SHA-512:AEB342F38A05CD061B76BDC7CBFA469E6C95E40DC81707D0DF2223A7BB1AC2B25169653AAE4D49945FFD579954897A166D897B65410DEC5ECDA5F32E15F1ADAA
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 0%, Browse
                        Joe Sandbox View:
                        • Filename: , Detection: malicious, Browse
                        • Filename: , Detection: malicious, Browse
                        • Filename: SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe, Detection: malicious, Browse
                        • Filename: SecuriteInfo.com.CIL.HeapOverride.Heur.10407.9903.exe, Detection: malicious, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........." ..0...... ......z.... ........... ...............................A....@.................................(...O......................../.......................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Nitro.bmp

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PC bitmap, Windows 3.x format, 148 x 60 x 24, image size 26640, resolution 2835 x 2835 px/m, cbSize 26694, bits offset 54
                        Category:dropped
                        Size (bytes):26694
                        Entropy (8bit):2.975171117331186
                        Encrypted:false
                        SSDEEP:96:nNWM9EiA1JzGLLF85cgngUAjPH94UD9l03D11XeLeu2+ldA:/9Eik6G7gUALlkZZKeuhldA
                        MD5:45D8FBC38103BFB1BFC282667CEB5A18
                        SHA1:FCD08C3CDE8B68918AF496CEB356DDEB66384937
                        SHA-256:45D1B9459F60CBDE528093D29FE9E4ED553C06C644B0017A0176704B1476A3A0
                        SHA-512:09525FDB5AC664B3BDAFEFC0F1C4E1ED1359225F4C36D076E7726FC864DE1AAC780D1ED54D282970DAB1998922C681AF4862244329B6F8DD35F5D6D9C7F60DFA
                        Malicious:false
                        Preview:BMFh......6...(.......<............h..................![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.+a.j..._...E.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![..V._.....................![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![.![..N.P|.....................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):374640
                        Entropy (8bit):7.180084376371929
                        Encrypted:false
                        SSDEEP:6144:sOtKN5vERtVX4udGBFm7BLBfYGxFWalsmcNIyoNvdTOFVibBbCxui:5VdOmNlpcNgvdiFVgCxR
                        MD5:43239CE73BEAE58CE5C0B4B66780D128
                        SHA1:1A4694F4C96A694BBE0F6AD35813768FF6DD3E86
                        SHA-256:3B8B732F1A49A599EF3288E84D7A63C995A2A1AD61192EE6F5DE67B2A7108F6C
                        SHA-512:DB955A1A3E481A92AE2797F9894DEBC70AC79493C056A29645E74D4EBD3F98C9B04A80CBB48AD45F10AAFCF574C28CEDBA7EAC7E4DA4FE5F1D996E1189CAE1B1
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Virustotal, Detection: 0%, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..f.........." ..0................. ........... ...............................n....`.....................................O.......................p/..........T................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......L...................P...........................................".(.....*>.(.......}....*....0..L........sT....(....oo...o.....r...po......(....o......(....o......o....&.oR....+..*".(.....*....0..@........s]....(....oo...o.....r/..po......(....o......o....&.o[....+..*.0..]..........sh....(....oo...o.....rU..po......(....o.....(....oo...o.....ry..po......o....&.of....+..*....0..\.........s.....(....oo...o.....r...po......(....o.....(....oo...o.....r...po......o....&.o}

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):30064
                        Entropy (8bit):6.694777649768307
                        Encrypted:false
                        SSDEEP:768:n6cr7NbhsVq32KsY+DNMA4kyir2aLdZaDSdM7/HWPVF2LYttxAMxkEvk:n6i7B2KsY+DNMA4kyir2aLdZaDSdMbug
                        MD5:80F29FA62F954A03ABAD24B984A45A7F
                        SHA1:77B49D1D46F5F65BD7F1008FE009DA1DA1D69641
                        SHA-256:56AE0E660E44D378879261419D808D3DC4488E13CAE95F6BF96561471DBF48FE
                        SHA-512:07A1A4BBFE35741AE4FBCF6D3306F3A60A1D768397F1919E2F095A3DC4E415E4C41B1F364C153FCFAB2C4764AE521ADBD8A4BC108793F73CB2D8E12F1670FE24
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../..f.........." ..0..>...........\... ...`....... ...............................J....`.................................<\..O....`...............F..p/...........[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................p\......H........%...............?..............................................".(.....*>.(.......}....*....0.............,...#.......@[.,....+..*..s....z".(.....*.0.............,...#.......@[.,....+..*..0.............,...e.,....+..*..{....*"..}....*..0............~....(..........+..*R..~..........(.....*n.s....}.....(.......(.....*...{.....o.....(...........s....o ...&*...0..8.......s'......}.......}.....(!......(...s....o".....{.....+..*j..(!..........s....o"....*..0............{.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\ProgressBar.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 4 x 10, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):360
                        Entropy (8bit):5.725214702319826
                        Encrypted:false
                        SSDEEP:6:6v/lhPED/Khm0VhH7vdQg9sMEdUjH/aGZymRmjwLhAKdepFbp:6v/7MD+XbvdQnZWvymRmPKdeh
                        MD5:A07584B9A8CC8A7483FA394867D05C0A
                        SHA1:7FCEA631D924CD811E43F4C7BB3C5DA1319CF541
                        SHA-256:03DE7CBEC2ED9A3C17E210F537F5A826FA7E43491556F8356B95F1A80DFA4CDC
                        SHA-512:8E26B4946DF740D3E89CDA720F3CE039C635675973F655D638915253C288509DBF41078ABE9FB3DA0A978355F4958272972B87AE5929D96D416B88AB7743E53A
                        Malicious:false
                        Preview:.PNG........IHDR.....................pHYs..........+......tIME.....#....I....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'...3IDAT..c.b*....01000x.z.ho...PAs..F&&..fb......LL............IEND.B`.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):23416
                        Entropy (8bit):6.604608816905775
                        Encrypted:false
                        SSDEEP:384:Ss8Szr0I0JXGbgx37OHJmz8BxBzKPbAP2Vhq6ki2LKeE4infNbIY9AM+o/8E9VFF:glrGJmQFujAebF2LYpICAMxkE
                        MD5:0DBD65BF269B06C53BEBA80C62FBF41E
                        SHA1:0380A5930AFB777AEA6E8E8FBEA594BFE98536D8
                        SHA-256:D3D14163B6F01350680D6FE397AF8645ED10F460BCE0ED3803547A65AE61E0F0
                        SHA-512:0A4405D236F464227A78749CE2D2AD86C3F6CD5AA73ED18690EBA5852D9A5D49B4CF340B85BB8D98EF081A1AEC68A9F715070651A29192CF9B8423EBBA078D32
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.....$..........^B... ...`....... ..............................='....@..................................B..W....`...............,..x/........................................................... ............... ..H............text...d"... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B................@B......H........@..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....F.......PADPADP.C.....[.~...)D.T\..W\..u\..v\...\...............e....d......WK..%..!..8c..U...@...O....W.*..x..<["......GS.."...........!.].D.....Q.u5......=~..............3..X.y.T....?k....s.1#P8o%..y*.m+.iB4...8sO8@..A.7Q

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22904
                        Entropy (8bit):6.658762362972803
                        Encrypted:false
                        SSDEEP:384:Es8Szr0I0YsIBFDENj0+pXbZ+hq6ki2LKeE4inhuAEAM+o/8E9VF0Ny4:elrCH+RtaF2LYwAEAMxkE
                        MD5:FF403070577AEE0069CBA5A419F97D57
                        SHA1:43A50744C40C841374877CFAEE353FDB64F462FC
                        SHA-256:725F1BFADF02C045FDF03DB7EB1F21273E7F3603EA41412E2A3FA4782DE2B7CC
                        SHA-512:94FFB8E1067E3CE2E872F571EB74A00B669ABE47A4173B7B7A4A9C06F5C2AF4E95F8B40C82EBFCAADD2E2E30662CD61AD27204D891640173D64FC9C5E3FC7A09
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:..f...........!....."...........A... ...`....... ....................................@.................................PA..K....`...............*..x/........................................................... ............... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............(..............@..B.................A......H.......L?..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....F.......PADPADP.C.....[.~...)D.T\..W\..u\..v\...\...............e....d......WK..%..!..8c..U...@...O....W.*..x..<["......GS.."...........!.].D.....Q.u5......=~..............3..X.y.T....?k....s.1#P8o%..y*.m+.iB4...8sO8@..A.7Q

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):23408
                        Entropy (8bit):6.596749936663067
                        Encrypted:false
                        SSDEEP:384:js8Szr0I0s7MCB/KoOwr/qDdnhq6ki2LKeE4inlsAM+o/8E9VF0NyRwvPl:TlrtwriZhF2LYqAMxkECPl
                        MD5:93EB67900B4ED7E71531C12AB469495C
                        SHA1:E9A21EFE06C41ABC673F1791FCD4AE00AAA510CA
                        SHA-256:9C39E38A43225C1C29C3B7A65B0DBB8E727A0160706B19D68D612F7E23C81862
                        SHA-512:37D1D1D1306C08665A61AEEB589ABA2812BCDDD194700116FD1F53F995BB2B3BB6D9CBDFDFDC5B9BB441DFD273C9B890BA2C38EDC1556981C114A60E54B546D5
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.....$...........B... ...`....... ....................................@..................................A..O....`...............,..p/........................................................... ............... ..H............text...4"... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B.................B......H........?..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....F.......PADPADP.C.....[.~...)D.T\..W\..u\..v\...\...............e....d......WK..%..!..8c..U...@...O....W.*..x..<["......GS.."...........!.].D.....Q.u5......=~..............3..X.y.T....?k....s.1#P8o%..y*.m+.iB4...8sO8@..A.7Q

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22904
                        Entropy (8bit):6.633942246677168
                        Encrypted:false
                        SSDEEP:384:Zs8Szr0I0gFjjAziFPZUEp3SF44r8mhq6ki2LKeE4in6SXuAM+o/8E9VF0NyIy:NlrVEFSF44r8SF2LY5XuAMxkE
                        MD5:C3F1C50260D49659620E169B5C2AF0B3
                        SHA1:6947A233A5B392D27FCE35903A5843CA7631555B
                        SHA-256:C8135BD38827C87F3FF7AD7D15A1BB61E004AF7A83CA123C293664D4FFEE16EF
                        SHA-512:C688FFB2949DD50AC6BFBFE5A4B6CE541625DAFB0F83C6413BECA48DBCC74510B9A6E78C298E98FF404D45EA9C4930468D3BDDFC38E2412D8FC98325215A6A5F
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..f...........!....."..........NA... ...`....... ..............................hy....@..................................@..S....`...............*..x/........................................................... ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............(..............@..B................0A......H........>..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....F.......PADPADP.C.....[.~...)D.T\..W\..u\..v\...\...............e....d......WK..%..!..8c..U...@...O....W.*..x..<["......GS.."...........!.].D.....Q.u5......=~..............3..X.y.T....?k....s.1#P8o%..y*.m+.iB4...8sO8@..A.7Q

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):142616
                        Entropy (8bit):6.730633359213728
                        Encrypted:false
                        SSDEEP:3072:mxWu4uSLObpRTiyX+mJq4fazG3eN/9dYG5Zq/P:NLudRPDq4fOJGGPq
                        MD5:A98EB2617326292D3AB96E54B4BA703C
                        SHA1:DC72B1E18930D26C16B8D5E4F25711E4DA9DA24C
                        SHA-256:7182FB48A03F653A2B87D66409599D0D11DFB197CA7F969D2C8D72E38BF13590
                        SHA-512:0FAC78FC2F9FF8D6688726A4E082CBEFA0B6C1A421B90235062581ADF854A1C3BBDD0295B7F6BF931455AD974CF7E6AB966C558C769FCD6E26C1270E3C69A543
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[1..P...P...P... ...P... ...P... ...P..M8...P..M8...P..M8...P... ...P...P...P...9...P...9...P...9z..P...P...P...9...P..Rich.P..................PE..L......e...........!.....b..........O>.......................................P.......r....@.........................P...........x.... .................../...0......@...T...............................@............................................text....a.......b.................. ..`.rdata..|u.......v...f..............@..@.data...............................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):210192
                        Entropy (8bit):6.679552109262068
                        Encrypted:false
                        SSDEEP:3072:2EIwsGi6eTe5uBR3SupIu+ieZpKamkOLCaQuEsSyhssS2KPjMssd4qzgTrm9b9un:2EZdi6e93SuDeTKZxQfsRy26Tqb4HH
                        MD5:30803BDCDA5083DE8BB9FB5CCA486412
                        SHA1:65BCF49BC81595C57B769C11F7097B9BF2968FB6
                        SHA-256:AA1DD28CC0450DCF38761E4E63BD029C46C66A9DC907E5A2A4D1B2E4261C2DCD
                        SHA-512:6EB3895F137CE51F480A7EED90A79BEB354B1CD4EC708194398AC787F99462C92F8798B7C5762DDA8EA6A66DFE184031A2593A257A5B243A17F78DAC4289276E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N............e......e..............................e......e......e..............*.......*.......*.d.............*.......Rich............PE..L......e...........!.........................0...............................@.......N....@............................................................../... ..x.......T...........................8...@............0..X............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....rsrc...............................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.png

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PNG image data, 63 x 63, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):797
                        Entropy (8bit):7.648767094164769
                        Encrypted:false
                        SSDEEP:12:6v/7rW3M/jDYAlFTzdvhKZ7e/cbp4/82UNb6MjmlKPNXheD1H0oJodqSXaTbutak:lQD1lldv8Z7g04/82Y6+Pxi19mDoqt5
                        MD5:A356956FD269567B8F4612A33802637B
                        SHA1:75AE41181581FD6376CA9CA88147011E48BF9A30
                        SHA-256:A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
                        SHA-512:A0F7836AEFA1747F481C116F6B085F503B5C09B3A1DD97CD2189F7CE4E6E7EA98F1F66503CBA2E6A83E873248CC7507328710DFA670AA5763DF8AEDCC560285E
                        Malicious:false
                        Preview:.PNG........IHDR...?...?.....W_......sRGB.........gAMA......a.....pHYs..........+......IDAThC./W.0....P(...Db+q8$.........J...-..8.e]._..;........Y... .Y....z\........{W|..../q..<%.....C5...0....OrU....,..^........).....2.......i.Ge..T9T..}.7..J.......}..b...S.>.%y..Fc..j.X.....y."...e.U..M(ez....4\..C....u.......w..0..J.Wo."...mM.r.h..8..q..X..k!...j..xn...l...W`..r.+.R..J........c.T.}......cz..<43..@.c..rH...|..V.....K.mN.........k....,..4OL..5..M.tm%=.U.t-7.w....k.R.....c...-].5~..]2..5...GA..[..={.5..].=(.$}.\.9..5...MWu..[#.....F..j.F...d...,..MWu.7..3......$.......G.t.....=;N<_:[......0.,1.y.\.Z.|..%..>}...q.s....y.#p......!-.;.6!o.KO..E.6...........<..c..9_B....y....im...b...Xn.....)t9Q...........V.WMtP. .P..Z.&..KR.ac......IEND.B`.

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.thm

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4962
                        Entropy (8bit):5.199808691432248
                        Encrypted:false
                        SSDEEP:48:cjCiLyQRTe2zTuECzP7b51wFQwbdYys5I5q12ImZdTKJPRPDl6liw5T7JhS+a3Py:ALzeKKVcu8+VRLOHy3ypnv
                        MD5:91543B04E0EBF979D12EA3F94B6C7D28
                        SHA1:EC5ECC2AE5D8A6BD473BF643A27C70CE03EC4170
                        SHA-256:0B2B19205A49F295FEB94B30D86CCB82B82350241DC08BD0A69F2C516C0A93A7
                        SHA-512:4D0D97C1E13B1DDC8689F855A3637360451BF44CBA02C6E2A77CE2F8445C2FE3DDEEB7B87B926D23CA0545A24ADECD1F2896BF145F7EACFEFDB4737A5CD75C71
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010" .. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:custom="clr-namespace:Nitro.Bootstrapper".. ImageFile="Background.png">.. <Window Width="485" Height="300" HexStyle="80000000" FontId="6" SourceX="0" SourceY="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="ffffff" Background="215bee">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="ffffff">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="ffffff">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="ffffff" Background="215bee" Underline="yes">Segoe UI</Font>.. <Font Id="4" Height="-14" Weight="500" Foreground="ffffff" Background="215bee" Underline="yes">Segoe UI</Font>.. <Font Id="5" Height="-14" Weight="500" Foreground="ffffff" Background="215bee">Segoe UI</Font>.. <Font Id="6" Height="-14" Weight="5

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.wxl

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1847
                        Entropy (8bit):5.059445647501477
                        Encrypted:false
                        SSDEEP:48:cyMT8dbCsK19Wqq8+JIDxNy+VWOnfN3miNlLPDHXsfXQ2BmGAg:MTY1xmyZSFrNqATg
                        MD5:274945107A0B67B3F39C52CDF93CEB8C
                        SHA1:538F7CC3C7EDC07A9A9762FF5F5DB1B2594BD6F7
                        SHA-256:B523C09AB79F1E0F3E667364CBAD756484A5320E477F89FFC0630F30D7AB87B0
                        SHA-512:F31F63A44C40AF580DCCB1A02BB39CE6E756940166589E3BE6AC75041B011AC0E23F95D2AA60F034E7279634082B3D3D680C12D0F4FE3C0F30D14DDF16F755C8
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">Microsoft .NET Framework required for [WixBundleName] setup</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. By default a log file is created in %TEMP%.</String>.. <String Id="HelpCloseButton">&amp;Close</String>.. <String Id="InstallLicenseTerms">[WixBundleName] requires the Microsoft .NET 4.8 Framework (&lt;a href="#"&gt;license terms&lt;/a&gt;). Please click "Accept and Install" t

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2042736
                        Entropy (8bit):6.999436176120839
                        Encrypted:false
                        SSDEEP:49152:WB67VneZc2vtvS9HAgXrPtziN9pX++I5sQSe:WB67Vb2vBS9HAgpziN9pOV
                        MD5:4337973905C6C14F798BB354E1785144
                        SHA1:2F95E946DBA7F972D9F843BA03C4A894400BE95F
                        SHA-256:682A64E02DAD5AD703F05B73759714951462F5730B379E3584B27047B4630A32
                        SHA-512:F19222BB790A24777D6F334FBCF46ABCEF428EA8F1B1586D44E8D48D8E1BDE371AEF1D3ACC8BC3303C4318C854CB1093F6D408206540BA6C6BA2DA6514365225
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....g...g...g..e....g..af...g..ad...g..ac...g..ab...g..oa...g...g...g..bc.7.g..of...g...f...g..ab...g..ag...g..a....g......g..ae...g.Rich..g.........PE..L...0..f...........!..."............................................................<.....@..........................A..l...|D..X....P..8...............p/...`...$...g..T...................@h...... g..@............................................text............................... ..`.rdata..t...........................@..@.data............`...p..............@....rsrc...8....P......................@..@.reloc...$...`...&..................@..B................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll

                        Download File
                        Process:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22904
                        Entropy (8bit):6.635780834507595
                        Encrypted:false
                        SSDEEP:384:ms8Szr0I0Bp1hc4QFXjsxH6bJzgd1nhq6ki2LKeE4inaF00rAM+o/8E9VF0NyL9N:8lr/y4abBW1hF2LY6AMxkE
                        MD5:A024211B529F6E3E50078ECA6E98621B
                        SHA1:92E8A602271E4760271F873341806392C00F33EE
                        SHA-256:9B27BA7E30695945E54CF2C48E0A4BB45F25349B35D43D0649EB57B43783B432
                        SHA-512:086AD8E2E84867625C8AF6C7605DC189F5515FBE12E2AB7278748DBE8C7A5ACE28F21A2B76F3F12852942BD3BC682A3F6FD9AA06F118192712CA9009D8BA03D2
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f...........!....."..........nA... ...`....... ...............................f....@..................................A..W....`...............*..x/........................................................... ............... ..H............text...t!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............(..............@..B................PA......H........?..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....F.......PADPADP.C.....[.~...)D.T\..W\..u\..v\...\...............e....d......WK..%..!..8c..U...@...O....W.*..x..<["......GS.."...........!.].D.....Q.u5......=~..............3..X.y.T....?k....s.1#P8o%..y*.m+.iB4...8sO8@..A.7Q

                        C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

                        Download File
                        Process:C:\Users\user\Desktop\nitro_pro14.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2457960
                        Entropy (8bit):7.6424905452066065
                        Encrypted:false
                        SSDEEP:49152:gREgvgoZ+o67r+dv03Zg+q3894KDG1wUMi:gREgooQ+vwGb3WK3Mi
                        MD5:957C08652837223A7876D64F5F93F232
                        SHA1:22CB448AC6BD4FC47A1889AA2643F0BD91E9C7FF
                        SHA-256:071DCD0FB10975EEA48DF1F75B3C6ECAEC30C901FC7639AD8E60B99C231EE223
                        SHA-512:CC8DE59CF17EC3F3DFA170D0CE9A86705189EBDA4000D45EE60A09D9235040F342D628CF05A6C1F740A33D0CA6B7D58DCFAEC18DEA7DA78AFBCB123F0099D601
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L...]..e..........................................@................................./.%...@..........................................................Q%.p/.......>.. ...T...................t.......(F..@............................................text............................... ..`.rdata..f...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...............................@..@.reloc...>.......@...j..............@..B........................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.6424905452066065
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:nitro_pro14.exe
                        File size:2'457'960 bytes
                        MD5:957c08652837223a7876d64f5f93f232
                        SHA1:22cb448ac6bd4fc47a1889aa2643f0bd91e9c7ff
                        SHA256:071dcd0fb10975eea48df1f75b3c6ecaec30c901fc7639ad8e60b99c231ee223
                        SHA512:cc8de59cf17ec3f3dfa170d0ce9a86705189ebda4000d45ee60a09d9235040f342d628cf05a6c1f740a33d0ca6b7d58dcfaec18dea7da78afbcb123f0099d601
                        SSDEEP:49152:gREgvgoZ+o67r+dv03Zg+q3894KDG1wUMi:gREgooQ+vwGb3WK3Mi
                        TLSH:44B5D02123224C32F6E41A7AE9149D346A7B5FE4B319E1ABB6D0BF4B7CF44C116B7112
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<.

                        File Icon

                        Icon Hash:0cdb475131150527

                        Static PE Info

                        General

                        Entrypoint:0x430217
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x65C2935D [Tue Feb 6 20:15:25 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:e277f1464e7729ad9df5ec047611738a

                        Authenticode Signature

                        Signature Valid:true
                        Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                        Signature Validation Error:The operation completed successfully
                        Error Number:0
                        Not Before, Not After
                        • 11/12/2023 16:53:32 11/12/2026 16:53:32
                        Subject Chain
                        • CN="Nitro Software, Inc.", O="Nitro Software, Inc.", STREET="447 Sutter St Ste 405 #1015", L=San Francisco, S=California, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=2574590, OID.2.5.4.15=Private Organization
                        Version:3
                        Thumbprint MD5:C371D635652D0F6BF4E7853FFBC0D016
                        Thumbprint SHA-1:C6D9E8DFE04715951925ACA6DEE1235F4887223D
                        Thumbprint SHA-256:626931C8B8F1EF913BED254A62AD7F045E438329F500BE19AD60375B1E92C7D2
                        Serial:6EE204BD6E482FA5C638CB1F

                        Entrypoint Preview

                        Instruction
                        call 00007FF2ECF07EFAh
                        jmp 00007FF2ECF077DFh
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        mov eax, dword ptr [esp+08h]
                        mov ecx, dword ptr [esp+10h]
                        or ecx, eax
                        mov ecx, dword ptr [esp+0Ch]
                        jne 00007FF2ECF0796Bh
                        mov eax, dword ptr [esp+04h]
                        mul ecx
                        retn 0010h
                        push ebx
                        mul ecx
                        mov ebx, eax
                        mov eax, dword ptr [esp+08h]
                        mul dword ptr [esp+14h]
                        add ebx, eax
                        mov eax, dword ptr [esp+08h]
                        mul ecx
                        add edx, ebx
                        pop ebx
                        retn 0010h
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        cmp cl, 00000040h
                        jnc 00007FF2ECF07977h
                        cmp cl, 00000020h
                        jnc 00007FF2ECF07968h
                        shld edx, eax, cl
                        shl eax, cl
                        ret
                        mov edx, eax
                        xor eax, eax
                        and cl, 0000001Fh
                        shl edx, cl
                        ret
                        xor eax, eax
                        xor edx, edx
                        ret
                        int3
                        push ecx
                        lea ecx, dword ptr [esp+04h]
                        sub ecx, eax
                        sbb eax, eax
                        not eax
                        and ecx, eax
                        mov eax, esp
                        and eax, FFFFF000h
                        cmp ecx, eax
                        jc 00007FF2ECF0796Eh
                        mov eax, ecx
                        pop ecx
                        xchg eax, esp
                        mov eax, dword ptr [eax]
                        mov dword ptr [esp], eax
                        ret
                        sub eax, 00001000h
                        test dword ptr [eax], eax
                        jmp 00007FF2ECF07949h
                        int3
                        int3
                        int3
                        cmp cl, 00000040h
                        jnc 00007FF2ECF07977h
                        cmp cl, 00000020h
                        jnc 00007FF2ECF07968h
                        shrd eax, edx, cl
                        shr edx, cl
                        ret
                        mov eax, edx
                        xor edx, edx
                        and cl, 0000001Fh
                        shr eax, cl
                        ret
                        xor eax, eax
                        xor edx, edx

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6bf140xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x496e0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x2551f80x2f70
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xbb0000x3ea4.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x6ac200x54.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x6ac740x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x646280x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x3d4.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x6ba940x100.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x4c9ae0x4ca006bf6f71d04ec2c3aabbb42285f8df72bFalse0.5391931331566069data6.5797892199000305IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x4e0000x1f5660x1f600b16a7db9df5ae9f4eed32f977fe97084False0.30050112051792827data5.087156465731698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x6e0000x183c0xc00a538498e5f38a11e7adb4e1f083e1555False0.2353515625firmware 2005 v9319 (revision 0) \261\031\277DN\346@\273 V2, 0 bytes or less, at 0 0 bytes , at 0 0 bytes 2.8798967720977293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .wixburn0x700000x380x2002a24ae3de3f6fd746c1faa79e03f32c6False0.095703125data0.5205881313429501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x710000x496e00x4980010819d7a65933c3d70e2f1cd63881208False0.09362709927721088data3.3623502565963466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xbb0000x3ea40x40006a7c6b4809bb43c99895412b2b9eff33False0.79034423828125data6.74091099099598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x712380x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.07486241382371217
                        RT_ICON0xb32600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.18101659751037344
                        RT_ICON0xb58080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.23287992495309567
                        RT_ICON0xb68b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.2860655737704918
                        RT_ICON0xb72380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.3679078014184397
                        RT_MESSAGETABLE0xb76a00x2840dataEnglishUnited States0.28823757763975155
                        RT_GROUP_ICON0xb9ee00x4cdataEnglishUnited States0.8026315789473685
                        RT_VERSION0xb9f2c0x2e0dataEnglishUnited States0.46603260869565216
                        RT_MANIFEST0xba20c0x4d2XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminatorsEnglishUnited States0.47568881685575365

                        Imports

                        DLLImport
                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, CreateWellKnownSid, InitializeAcl, DecryptFileW, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
                        USER32.dllPeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
                        OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                        GDI32.dllDeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
                        SHELL32.dllCommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
                        ole32.dllCoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CoInitializeSecurity, CLSIDFromProgID
                        KERNEL32.dllGetFileType, GetStdHandle, EncodePointer, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, CreateFileW, CloseHandle, ExitProcess, CreateFileA, SetFilePointer, WriteFile, GetLastError, GetCurrentProcessId, GetSystemDirectoryW, LoadLibraryW, lstrlenA, HeapSetInformation, GetModuleHandleW, GetProcAddress, LocalFree, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, GetTempFileNameW, RemoveDirectoryW, SetFileAttributesW, GetTempPathW, MoveFileExW, FormatMessageW, lstrlenW, MultiByteToWideChar, IsValidCodePage, LCMapStringW, ExpandEnvironmentStringsW, GetFileSizeEx, GetFullPathNameW, ReadFile, SetFilePointerEx, SetFileTime, Sleep, GlobalAlloc, GlobalFree, CopyFileW, GetLocalTime, GetModuleFileNameW, CompareStringW, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FreeLibrary, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, GetCurrentProcess, FindFirstFileExW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, GetVolumePathNameW, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetWindowsDirectoryW, GetNativeSystemInfo, GetSystemWow64DirectoryW, GetModuleHandleExW, GetComputerNameW, VerifyVersionInfoW, GetDateFormatW, GetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, DuplicateHandle, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, WaitForSingleObject, GetProcessId, OpenProcess, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, LocalFileTimeToFileTime, SetEndOfFile, ResetEvent, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, CreateMutexW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetThreadLocale, GetStartupInfoW, IsDebuggerPresent, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, WriteConsoleW, GetModuleHandleA, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetCurrentThreadId, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LoadLibraryExA, VirtualQuery, VirtualProtect, GetSystemInfo, RaiseException, GetTimeZoneInformation
                        RPCRT4.dllUuidCreate

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 11:37:35.340814114 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:35.340867043 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:35.341048956 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:35.570903063 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:35.570945024 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.080499887 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.080606937 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.140358925 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.140384912 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.140851021 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.140995026 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.144684076 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.191422939 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.512289047 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.512404919 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.512430906 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.512469053 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.512492895 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.512520075 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.512567043 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.512588978 CEST44349732104.16.123.109192.168.2.4
                        Oct 14, 2024 11:37:36.512599945 CEST49732443192.168.2.4104.16.123.109
                        Oct 14, 2024 11:37:36.512638092 CEST49732443192.168.2.4104.16.123.109

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 11:37:35.316135883 CEST6476053192.168.2.41.1.1.1
                        Oct 14, 2024 11:37:35.324193954 CEST53647601.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 14, 2024 11:37:35.316135883 CEST192.168.2.41.1.1.10x7dcbStandard query (0)desktop.gonitro.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 14, 2024 11:37:35.324193954 CEST1.1.1.1192.168.2.40x7dcbNo error (0)desktop.gonitro.com104.16.123.109A (IP address)IN (0x0001)false
                        Oct 14, 2024 11:37:35.324193954 CEST1.1.1.1192.168.2.40x7dcbNo error (0)desktop.gonitro.com104.16.122.109A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • desktop.gonitro.com

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449732104.16.123.1094437044C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        TimestampBytes transferredDirectionData
                        2024-10-14 09:37:36 UTC194OUTPOST /v14.29.1.0/events HTTP/1.1
                        Content-type: application/json
                        User-Agent: Nitro 14.29.1.0
                        Host: desktop.gonitro.com
                        Content-Length: 334
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        2024-10-14 09:37:36 UTC334OUTData Raw: 7b 22 73 6f 75 72 63 65 22 3a 7b 22 70 72 6f 64 75 63 74 56 65 72 73 69 6f 6e 22 3a 22 31 34 2e 32 39 2e 31 2e 30 22 2c 22 70 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 22 2c 22 70 72 6f 64 75 63 74 22 3a 22 50 72 6f 22 2c 22 64 65 76 69 63 65 22 3a 22 34 44 33 32 31 46 45 32 31 39 42 35 33 35 41 41 35 31 37 32 42 45 44 33 36 45 41 37 32 33 41 78 46 46 38 36 34 45 37 37 35 32 46 38 44 43 36 38 44 43 31 46 39 32 45 39 39 42 34 34 38 35 39 42 31 43 43 30 44 46 38 33 45 32 30 39 35 37 45 42 38 42 33 42 45 43 35 46 38 44 38 33 32 30 45 36 43 46 46 41 46 38 38 32 39 35 33 36 41 34 35 45 45 30 37 44 30 37 43 31 45 43 34 46 33 45 45 33 30 44 36 42 30 46 43 39 32 45 32 37 37 32 46 39 39 38 35 31 34 43 42 31 37 34 36 35 46 38 31 36 22 7d 2c 22 65 76
                        Data Ascii: {"source":{"productVersion":"14.29.1.0","productLanguage":"en","product":"Pro","device":"4D321FE219B535AA5172BED36EA723AxFF864E7752F8DC68DC1F92E99B44859B1CC0DF83E20957EB8B3BEC5F8D8320E6CFFAF8829536A45EE07D07C1EC4F3EE30D6B0FC92E2772F998514CB17465F816"},"ev
                        2024-10-14 09:37:36 UTC739INHTTP/1.1 200 OK
                        Date: Mon, 14 Oct 2024 09:37:36 GMT
                        Content-Length: 0
                        Connection: close
                        x-envoy-upstream-service-time: 6
                        x-ratelimit-limit: 0
                        x-ratelimit-remaining: 0
                        x-ratelimit-reset: 0
                        content-security-policy: frame-ancestors none;
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        x-frame-options: deny
                        x-xss-protection: 1; mode=block
                        x-content-type-options: nosniff
                        referrer-policy: same-origin
                        x-download-options: noopen
                        x-dns-prefetch-control: off
                        x-permitted-cross-domain-policies: none
                        permissions-policy: camera=(),microphone=(),geolocation=(),encrypted-media=(),payment=(),usb=()
                        CF-Cache-Status: DYNAMIC
                        Server: cloudflare
                        CF-RAY: 8d2697793a7f436d-EWR
                        alt-svc: h3=":443"; ma=86400


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:05:37:32
                        Start date:14/10/2024
                        Path:C:\Users\user\Desktop\nitro_pro14.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\nitro_pro14.exe"
                        Imagebase:0xc0000
                        File size:2'457'960 bytes
                        MD5 hash:957C08652837223A7876D64F5F93F232
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:1
                        Start time:05:37:33
                        Start date:14/10/2024
                        Path:C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680
                        Imagebase:0xa60000
                        File size:2'457'960 bytes
                        MD5 hash:957C08652837223A7876D64F5F93F232
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 000C6E5B Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 314COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 864 c6e5b-c6f09 call f0e00 * 2 GetModuleHandleW call 105605 call 1057b9 call c1591 875 c6f1f-c6f30 call c5faf 864->875 876 c6f0b 864->876 882 c6f39-c6f55 call c72dc CoInitializeEx 875->882 883 c6f32-c6f37 875->883 878 c6f10-c6f1a call 10534a 876->878 884 c719a-c71a1 878->884 892 c6f5e-c6f6a call 104db9 882->892 893 c6f57-c6f5c 882->893 883->878 886 c71ae-c71b0 884->886 887 c71a3-c71a9 call c3136 884->887 890 c71c0-c71de call cf514 call dc503 call dc74d 886->890 891 c71b2-c71b9 886->891 887->886 913 c720c-c721f call c6c6a 890->913 914 c71e0-c71e8 890->914 891->890 894 c71bb call d5eaf 891->894 901 c6f6c 892->901 902 c6f7e-c6f8d call c56c9 892->902 893->878 894->890 905 c6f71-c6f79 call 10534a 901->905 909 c6f8f-c6f94 902->909 910 c6f96-c6fa5 call 1070c0 902->910 905->884 909->905 920 c6fae-c6fbd call 107b1f 910->920 921 c6fa7-c6fac 910->921 925 c7226-c722d 913->925 926 c7221 call 107fea 913->926 914->913 916 c71ea-c71ed 914->916 916->913 919 c71ef-c720a call d600f call c72c6 916->919 919->913 935 c6fbf-c6fc4 920->935 936 c6fc6-c6fe5 GetVersionExW 920->936 921->905 930 c722f call 1074c6 925->930 931 c7234-c723b 925->931 926->925 930->931 932 c723d call c5d15 931->932 933 c7242-c7249 931->933 932->933 939 c724b call 104ec8 933->939 940 c7250-c7252 933->940 935->905 942 c701f-c7064 call c4e3a call c72c6 936->942 943 c6fe7-c6ff1 GetLastError 936->943 939->940 946 c725a-c7261 940->946 947 c7254 CoUninitialize 940->947 966 c7066-c7071 call c3136 942->966 967 c7077-c7087 call d916b 942->967 948 c6ffe 943->948 949 c6ff3-c6ffc 943->949 953 c729c-c72a5 call 105228 946->953 954 c7263-c7265 946->954 947->946 950 c7005-c701a call c13b3 948->950 951 c7000 948->951 949->948 950->905 951->950 964 c72ac-c72c3 call 10590b call effc5 953->964 965 c72a7 call c62c2 953->965 958 c726b-c7271 954->958 959 c7267-c7269 954->959 963 c7273-c728c call d5a44 call c72c6 958->963 959->963 963->953 982 c728e-c729b call c72c6 963->982 965->964 966->967 979 c7089 967->979 980 c7093-c709c 967->980 979->980 983 c7164-c7171 call c6a03 980->983 984 c70a2-c70a5 980->984 982->953 994 c7176-c717a 983->994 987 c713c-c7158 call c67b3 984->987 988 c70ab-c70ae 984->988 1000 c7186-c7198 987->1000 1004 c715a 987->1004 991 c7114-c7130 call c65bf 988->991 992 c70b0-c70b3 988->992 991->1000 1006 c7132 991->1006 996 c70ec-c7108 call c6756 992->996 997 c70b5-c70b8 992->997 999 c717c 994->999 994->1000 996->1000 1009 c710a 996->1009 1002 c70c9-c70dc call c6952 997->1002 1003 c70ba-c70bf 997->1003 999->1000 1000->884 1002->1000 1011 c70e2 1002->1011 1003->1002 1004->983 1006->987 1009->991 1011->996
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C6EDD
                            • Part of subcall function 00105605: InitializeCriticalSection.KERNEL32(0012F764,?,000C6EE9,00000000,?,?,?,?,?,?), ref: 0010561C
                            • Part of subcall function 000C1591: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,000C6F05,00000000,?), ref: 000C15CF
                            • Part of subcall function 000C1591: GetLastError.KERNEL32(?,?,?,000C6F05,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C15D9
                          • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C6F4B
                            • Part of subcall function 000C56C9: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000C56EA
                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 000C6FDD
                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000C6FE7
                          • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7254
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp, xrefs: 000C700B
                          • Failed to initialize Wiutil., xrefs: 000C6FA7
                          • , xrefs: 000C71BB
                          • Failed to run per-user mode., xrefs: 000C715A
                          • Failed to run untrusted mode., xrefs: 000C717C
                          • Failed to initialize XML util., xrefs: 000C6FBF
                          • Failed to get OS info., xrefs: 000C7015
                          • Failed to initialize Regutil., xrefs: 000C6F8F
                          • Failed to run RunOnce mode., xrefs: 000C70E2
                          • Failed to initialize core., xrefs: 000C7089
                          • Failed to run per-machine mode., xrefs: 000C7132
                          • Failed to initialize engine state., xrefs: 000C6F32
                          • 3.14.0.8606, xrefs: 000C704A
                          • Failed to run embedded mode., xrefs: 000C710A
                          • Invalid run mode., xrefs: 000C70BF
                          • Failed to initialize Cryputil., xrefs: 000C6F6C
                          • Failed to initialize COM., xrefs: 000C6F57
                          • Failed to parse command line., xrefs: 000C6F0B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                          • String ID: 3.14.0.8606$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp$
                          • API String ID: 3262001429-3296121404
                          • Opcode ID: eae526d848dc5b31f48bc2c4997785595d719885ae802ab854d53438bcb8925c
                          • Instruction ID: e501193cf1f085e450ca64b8ff503b063184ebddd6cf85e6c61eb018b9c6cb8b
                          • Opcode Fuzzy Hash: eae526d848dc5b31f48bc2c4997785595d719885ae802ab854d53438bcb8925c
                          • Instruction Fuzzy Hash: 73B1D631D446299BDB32AB648D46FEE76F4AF04310F0405ADF94DB6282DB719E81CF91
                          Function 00107615 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00107BC3,00000000,?,00000000), ref: 0010762F
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000EDA6D,?,000C70CB,?,00000000,?), ref: 0010763B
                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0010767B
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00107687
                          • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00107692
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0010769C
                          • CoCreateInstance.OLE32(0012F7E4,00000000,00000001,0010E9F0,?,?,?,?,?,?,?,?,?,?,?,000EDA6D), ref: 001076D7
                          • ExitProcess.KERNEL32 ref: 00107786
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 0010765F
                          • Wow64RevertWow64FsRedirection, xrefs: 00107694
                          • kernel32.dll, xrefs: 0010761F
                          • Wow64DisableWow64FsRedirection, xrefs: 00107681
                          • Wow64EnableWow64FsRedirection, xrefs: 00107689
                          • IsWow64Process, xrefs: 00107675
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                          • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp$kernel32.dll
                          • API String ID: 2124981135-3450629486
                          • Opcode ID: eac525ba1fb76c4ce3352b8feb298f578dd6b7306ec5c5f16fbed5a3683bf0df
                          • Instruction ID: 42733fb697390263e04d353bba7322c8ab2ec6682d8377148a2b7d8104523eb6
                          • Opcode Fuzzy Hash: eac525ba1fb76c4ce3352b8feb298f578dd6b7306ec5c5f16fbed5a3683bf0df
                          • Instruction Fuzzy Hash: F741C435E04225ABDB259FA8C858FAE77A4BF04750F114569E941E72D0DBB2ED40CB90
                          Function 000C10E1 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 79fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C4E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C114E,?,00000000), ref: 000C4E5B
                          • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 000C1167
                            • Part of subcall function 000C14FE: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C150F
                            • Part of subcall function 000C14FE: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C151A
                            • Part of subcall function 000C14FE: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C1528
                            • Part of subcall function 000C14FE: GetLastError.KERNEL32(?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C1543
                            • Part of subcall function 000C14FE: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C154B
                            • Part of subcall function 000C14FE: GetLastError.KERNEL32(?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C1560
                          • CloseHandle.KERNEL32(?,?,?,?,0010E4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 000C11AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                          • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                          • API String ID: 3687706282-3151496603
                          • Opcode ID: 9202294a1920aeffdceb6fc50b3ad83187759a8961beda9a53f6ef60c788b577
                          • Instruction ID: a69203da6a8479b22ae15a81a1be2a4ffe146a53e72957c691f592f886513966
                          • Opcode Fuzzy Hash: 9202294a1920aeffdceb6fc50b3ad83187759a8961beda9a53f6ef60c788b577
                          • Instruction Fuzzy Hash: 95218071A00218ABDB10AFA5CD45FDEBBF8EF09314F544919F951F72D2D7B099048BA4
                          Function 000DBCDD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                          Download Yara Rule
                          Strings
                          • Failed to copy working folder., xrefs: 000DBD38
                          • Failed create working folder., xrefs: 000DBD10
                          • Failed to calculate working folder to ensure it exists., xrefs: 000DBCFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CurrentDirectoryErrorLastProcessWindows
                          • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                          • API String ID: 3841436932-2072961686
                          • Opcode ID: 409de23b85866f20f303cf8990967d45ae57a82b62c7d1bb77e4592473dbe692
                          • Instruction ID: 62407ebeea799b37a764dc8946990de55cb256d54497513c3f45726745519ed8
                          • Opcode Fuzzy Hash: 409de23b85866f20f303cf8990967d45ae57a82b62c7d1bb77e4592473dbe692
                          • Instruction Fuzzy Hash: 1C01A732900724FACB225B55CC05CDE7BB6EF91B607214166F80076321E7729F40EAA1
                          Function 000C3B2C Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 000C3B67
                          • FindClose.KERNEL32(00000000,?,00000000), ref: 000C3B73
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: e676fb1649b9edd72958f487dfae1e1899f2560529dc084d2b97193fef5968d6
                          • Instruction ID: a3cb13895e602c5627aaea7b81d09f506ed52123e2b568dff50d3aa1b0209f04
                          • Opcode Fuzzy Hash: e676fb1649b9edd72958f487dfae1e1899f2560529dc084d2b97193fef5968d6
                          • Instruction Fuzzy Hash: F10186716001186BDB10EF66DC89EAFF7ECEFC5325F004469F518D3181D674AE898A64
                          Function 000C50E9 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                          • RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID:
                          • API String ID: 1357844191-0
                          • Opcode ID: f4d8578b3b966c272c685fe4cd1671163327f20dd618a2584ae34f6cf1b4df44
                          • Instruction ID: 12d668ce290ef91d3c1c414ead1e16a8c587166e4f120fb16166707476aad146
                          • Opcode Fuzzy Hash: f4d8578b3b966c272c685fe4cd1671163327f20dd618a2584ae34f6cf1b4df44
                          • Instruction Fuzzy Hash: 3CC08C331A020CABCF006FF9EC0EC9A3BECEB28602700C800F965C7450D6BCE0908B61
                          Function 000CFC13 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 648COMMON
                          Download Yara Rule
                          APIs
                          • SysFreeString.OLEAUT32(00000000), ref: 000CFD38
                          • SysFreeString.OLEAUT32(00000000), ref: 000D041C
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeHeapString$AllocateProcess
                          • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$always$c:\agent\_work\35\s\wix\src\burn\engine\package.cpp$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$wininet.dll$yes
                          • API String ID: 336948655-310234195
                          • Opcode ID: c4e704e455f67ce195fe3b5f7e57a240e3dd5752cef0dfe8ee76dd15740d1e57
                          • Instruction ID: 38f1cc652bebb37e7982130977a30a5e3912c4fa930f69c090e1ee097abf678e
                          • Opcode Fuzzy Hash: c4e704e455f67ce195fe3b5f7e57a240e3dd5752cef0dfe8ee76dd15740d1e57
                          • Instruction Fuzzy Hash: 3C32C371E44726BBDB258B54CC45FAEBAB5AF00720F10426AF915BB3D1D771AE40CBA0
                          Function 000D16B9 Relevance: 114.2, APIs: 3, Strings: 62, Instructions: 445COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 222 d16b9-d16ea call 107f61 225 d16ec 222->225 226 d16ee-d16f0 222->226 225->226 227 d1704-d171d call 1078b5 226->227 228 d16f2-d16ff call 10534a 226->228 234 d171f-d1724 227->234 235 d1729-d173e call 1078b5 227->235 233 d1bec-d1bf1 228->233 236 d1bf9-d1bfe 233->236 237 d1bf3-d1bf5 233->237 238 d1be3-d1bea call 10534a 234->238 246 d174a-d1757 call d0733 235->246 247 d1740-d1745 235->247 240 d1c06-d1c0b 236->240 241 d1c00-d1c02 236->241 237->236 252 d1beb 238->252 244 d1c0d-d1c0f 240->244 245 d1c13-d1c17 240->245 241->240 244->245 249 d1c19-d1c1c call c3136 245->249 250 d1c21-d1c26 245->250 255 d1759-d175e 246->255 256 d1763-d1778 call 1078b5 246->256 247->238 249->250 252->233 255->238 259 d177a-d177f 256->259 260 d1784-d1796 call c436c 256->260 259->238 263 d1798-d17a0 260->263 264 d17a5-d17ba call 1078b5 260->264 265 d1a6f-d1a78 call 10534a 263->265 269 d17bc-d17c1 264->269 270 d17c6-d17db call 1078b5 264->270 265->252 269->238 274 d17dd-d17e2 270->274 275 d17e7-d17f9 call 107ac1 270->275 274->238 278 d17fb-d1800 275->278 279 d1805-d181b call 107f61 275->279 278->238 282 d1aca-d1ae4 call d09ad 279->282 283 d1821-d1823 279->283 290 d1ae6-d1aeb 282->290 291 d1af0-d1b08 call 107f61 282->291 284 d182f-d1844 call 107ac1 283->284 285 d1825-d182a 283->285 292 d1846-d184b 284->292 293 d1850-d1865 call 1078b5 284->293 285->238 290->238 297 d1b0e-d1b10 291->297 298 d1bd2-d1bd3 call d0ddd 291->298 292->238 300 d1875-d188a call 1078b5 293->300 301 d1867-d1869 293->301 302 d1b1c-d1b3a call 1078b5 297->302 303 d1b12-d1b17 297->303 308 d1bd8-d1bdc 298->308 312 d188c-d188e 300->312 313 d189a-d18af call 1078b5 300->313 301->300 305 d186b-d1870 301->305 314 d1b3c-d1b41 302->314 315 d1b46-d1b5e call 1078b5 302->315 303->238 305->238 308->252 311 d1bde 308->311 311->238 312->313 316 d1890-d1895 312->316 323 d18bf-d18d4 call 1078b5 313->323 324 d18b1-d18b3 313->324 314->238 321 d1b6b-d1b83 call 1078b5 315->321 322 d1b60-d1b62 315->322 316->238 331 d1b85-d1b87 321->331 332 d1b90-d1ba8 call 1078b5 321->332 322->321 325 d1b64-d1b69 322->325 333 d18e4-d18f9 call 1078b5 323->333 334 d18d6-d18d8 323->334 324->323 326 d18b5-d18ba 324->326 325->238 326->238 331->332 338 d1b89-d1b8e 331->338 341 d1baa-d1baf 332->341 342 d1bb1-d1bc9 call 1078b5 332->342 343 d1909-d191e call 1078b5 333->343 344 d18fb-d18fd 333->344 334->333 335 d18da-d18df 334->335 335->238 338->238 341->238 342->298 350 d1bcb-d1bd0 342->350 351 d192e-d1943 call 1078b5 343->351 352 d1920-d1922 343->352 344->343 346 d18ff-d1904 344->346 346->238 350->238 356 d1945-d1947 351->356 357 d1953-d1968 call 1078b5 351->357 352->351 353 d1924-d1929 352->353 353->238 356->357 359 d1949-d194e 356->359 361 d1978-d1990 call 1078b5 357->361 362 d196a-d196c 357->362 359->238 366 d19a0-d19b8 call 1078b5 361->366 367 d1992-d1994 361->367 362->361 363 d196e-d1973 362->363 363->238 371 d19c8-d19dd call 1078b5 366->371 372 d19ba-d19bc 366->372 367->366 368 d1996-d199b 367->368 368->238 376 d1a7d-d1a7f 371->376 377 d19e3-d1a00 CompareStringW 371->377 372->371 374 d19be-d19c3 372->374 374->238 378 d1a8a-d1a8c 376->378 379 d1a81-d1a88 376->379 380 d1a0a-d1a1f CompareStringW 377->380 381 d1a02-d1a08 377->381 382 d1a8e-d1a93 378->382 383 d1a98-d1ab0 call 107ac1 378->383 379->378 385 d1a2d-d1a42 CompareStringW 380->385 386 d1a21-d1a2b 380->386 384 d1a4b-d1a50 381->384 382->238 383->282 392 d1ab2-d1ab4 383->392 384->378 388 d1a44 385->388 389 d1a52-d1a6a call c13b3 385->389 386->384 388->384 389->265 394 d1ab6-d1abb 392->394 395 d1ac0 392->395 394->238 395->282
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: StringVariant$AllocClearFreeInit
                          • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\35\s\wix\src\burn\engine\registration.cpp$yes$
                          • API String ID: 760788290-4041468376
                          • Opcode ID: 374bdf263e3d365ff527d64348d07e00fa884daae1db2594572de44730985127
                          • Instruction ID: 9312ede656d98a108f21d5dc58e347b7ac548bd4f0e9ab4afa6203de3789a42b
                          • Opcode Fuzzy Hash: 374bdf263e3d365ff527d64348d07e00fa884daae1db2594572de44730985127
                          • Instruction Fuzzy Hash: BFE1B532E48725BBDB259AA0CC42EFD76A4AB14B20F114273F910B73D0EF61AD5097E0
                          Function 000CD197 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 396 cd197-cd20c call f0e00 * 2 401 cd20e-cd218 GetLastError 396->401 402 cd244-cd24a 396->402 403 cd21a-cd223 401->403 404 cd225 401->404 405 cd24c 402->405 406 cd24e-cd260 SetFilePointerEx 402->406 403->404 407 cd22c-cd239 call c13b3 404->407 408 cd227 404->408 405->406 409 cd294-cd2ae ReadFile 406->409 410 cd262-cd26c GetLastError 406->410 426 cd23e-cd23f 407->426 408->407 411 cd2e5-cd2ec 409->411 412 cd2b0-cd2ba GetLastError 409->412 414 cd26e-cd277 410->414 415 cd279 410->415 419 cd2f2-cd2fb 411->419 420 cd8e3-cd8f7 call c13b3 411->420 416 cd2bc-cd2c5 412->416 417 cd2c7 412->417 414->415 421 cd27b 415->421 422 cd280-cd292 call c13b3 415->422 416->417 424 cd2ce-cd2e0 call c13b3 417->424 425 cd2c9 417->425 419->420 428 cd301-cd311 SetFilePointerEx 419->428 438 cd8fc 420->438 421->422 422->426 424->426 425->424 431 cd8fd-cd903 call 10534a 426->431 433 cd348-cd360 ReadFile 428->433 434 cd313-cd31d GetLastError 428->434 449 cd904-cd914 call effc5 431->449 435 cd397-cd39e 433->435 436 cd362-cd36c GetLastError 433->436 440 cd31f-cd328 434->440 441 cd32a 434->441 442 cd8c8-cd8e1 call c13b3 435->442 443 cd3a4-cd3ae 435->443 446 cd36e-cd377 436->446 447 cd379 436->447 438->431 440->441 444 cd32c 441->444 445 cd331-cd33e call c13b3 441->445 442->438 443->442 450 cd3b4-cd3d7 SetFilePointerEx 443->450 444->445 445->433 446->447 453 cd37b 447->453 454 cd380-cd38d call c13b3 447->454 456 cd40e-cd426 ReadFile 450->456 457 cd3d9-cd3e3 GetLastError 450->457 453->454 454->435 464 cd45d-cd475 ReadFile 456->464 465 cd428-cd432 GetLastError 456->465 462 cd3e5-cd3ee 457->462 463 cd3f0 457->463 462->463 469 cd3f7-cd404 call c13b3 463->469 470 cd3f2 463->470 467 cd4ac-cd4c7 SetFilePointerEx 464->467 468 cd477-cd481 GetLastError 464->468 471 cd43f 465->471 472 cd434-cd43d 465->472 476 cd4c9-cd4d3 GetLastError 467->476 477 cd501-cd520 ReadFile 467->477 473 cd48e 468->473 474 cd483-cd48c 468->474 469->456 470->469 478 cd446-cd453 call c13b3 471->478 479 cd441 471->479 472->471 483 cd495-cd4a2 call c13b3 473->483 484 cd490 473->484 474->473 486 cd4d5-cd4de 476->486 487 cd4e0 476->487 481 cd889-cd893 GetLastError 477->481 482 cd526-cd528 477->482 478->464 479->478 493 cd895-cd89e 481->493 494 cd8a0 481->494 491 cd529-cd530 482->491 483->467 484->483 486->487 488 cd4e7-cd4f7 call c13b3 487->488 489 cd4e2 487->489 488->477 489->488 496 cd864-cd881 call c13b3 491->496 497 cd536-cd542 491->497 493->494 499 cd8a7-cd8bd call c13b3 494->499 500 cd8a2 494->500 512 cd886-cd887 496->512 504 cd54d-cd556 497->504 505 cd544-cd54b 497->505 511 cd8be-cd8c6 call 10534a 499->511 500->499 509 cd55c-cd582 ReadFile 504->509 510 cd827-cd83e call c13b3 504->510 505->504 508 cd590-cd597 505->508 514 cd599-cd5bb call c13b3 508->514 515 cd5c0-cd5d7 call c50e9 508->515 509->481 513 cd588-cd58e 509->513 522 cd843-cd849 call 10534a 510->522 511->449 512->511 513->491 514->512 526 cd5d9-cd5f6 call c13b3 515->526 527 cd5fb-cd610 SetFilePointerEx 515->527 532 cd84f-cd850 522->532 526->431 530 cd650-cd675 ReadFile 527->530 531 cd612-cd61c GetLastError 527->531 533 cd6ac-cd6b8 530->533 534 cd677-cd681 GetLastError 530->534 536 cd61e-cd627 531->536 537 cd629 531->537 538 cd851-cd853 532->538 541 cd6ba-cd6d6 call c13b3 533->541 542 cd6db-cd6df 533->542 539 cd68e 534->539 540 cd683-cd68c 534->540 536->537 543 cd62b 537->543 544 cd630-cd640 call c13b3 537->544 538->449 545 cd859-cd85f call c51ae 538->545 546 cd695-cd6aa call c13b3 539->546 547 cd690 539->547 540->539 541->522 550 cd71a-cd72d call c40de 542->550 551 cd6e1-cd715 call c13b3 call 10534a 542->551 543->544 562 cd645-cd64b call 10534a 544->562 545->449 546->562 547->546 565 cd72f-cd734 550->565 566 cd739-cd743 550->566 551->538 562->532 565->562 569 cd74d-cd755 566->569 570 cd745-cd74b 566->570 572 cd757-cd75f 569->572 573 cd761-cd764 569->573 571 cd766-cd7c6 call c50e9 570->571 576 cd7c8-cd7e4 call c13b3 571->576 577 cd7ea-cd80b call f0f60 call ccf14 571->577 572->571 573->571 576->577 577->538 584 cd80d-cd81d call c13b3 577->584 584->510
                          APIs
                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 000CD20E
                          • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD25C
                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 000CD262
                          • ReadFile.KERNELBASE(00000000,000C6139,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD2AA
                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 000CD2B0
                          • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD30D
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD313
                          • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD35C
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD362
                          • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD3D3
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD3D9
                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD422
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD428
                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD471
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD477
                          • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD4C3
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD4C9
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD51C
                          • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD57E
                          • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD608
                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CD612
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                          • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\35\s\wix\src\burn\engine\section.cpp
                          • API String ID: 3411815225-4209306440
                          • Opcode ID: e675eb7e2db7fa4281b66b907d19c50bcfe20d8387445c533837b18da0df8d5e
                          • Instruction ID: 854722edb891fdf490180cf2291f01ba271e876aa07ea91e7ed10963310809c9
                          • Opcode Fuzzy Hash: e675eb7e2db7fa4281b66b907d19c50bcfe20d8387445c533837b18da0df8d5e
                          • Instruction Fuzzy Hash: FA12C576940235ABDB349B54CD45FEE7AA4AF05710F0142BAFE08AB281E774DD81CBE1
                          Function 000E2817 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 587 e2817-e282e SetEvent 588 e2870-e287e WaitForSingleObject 587->588 589 e2830-e283a GetLastError 587->589 590 e28b5-e28c0 ResetEvent 588->590 591 e2880-e288a GetLastError 588->591 592 e283c-e2845 589->592 593 e2847 589->593 596 e28fa-e2900 590->596 597 e28c2-e28cc GetLastError 590->597 594 e288c-e2895 591->594 595 e2897 591->595 592->593 598 e284e-e285e call c13b3 593->598 599 e2849 593->599 594->595 603 e289e-e28b3 call c13b3 595->603 604 e2899 595->604 601 e2902-e2905 596->601 602 e2933-e294c call c2c89 596->602 605 e28ce-e28d7 597->605 606 e28d9 597->606 614 e2863-e286b call 10534a 598->614 599->598 610 e2929-e292e 601->610 611 e2907-e2924 call c13b3 601->611 623 e294e-e295f call 10534a 602->623 624 e2964-e296f SetEvent 602->624 603->614 604->603 605->606 608 e28db 606->608 609 e28e0-e28f5 call c13b3 606->609 608->609 609->614 617 e2be9-e2bee 610->617 630 e2bdf-e2be5 call 10534a 611->630 614->617 625 e2bf3-e2bf9 617->625 626 e2bf0 617->626 638 e2be6-e2be8 623->638 627 e29a9-e29b7 WaitForSingleObject 624->627 628 e2971-e297b GetLastError 624->628 626->625 635 e29b9-e29c3 GetLastError 627->635 636 e29f1-e29fc ResetEvent 627->636 633 e297d-e2986 628->633 634 e2988 628->634 630->638 633->634 641 e298f-e29a4 call c13b3 634->641 642 e298a 634->642 643 e29c5-e29ce 635->643 644 e29d0 635->644 639 e29fe-e2a08 GetLastError 636->639 640 e2a36-e2a3d 636->640 638->617 646 e2a0a-e2a13 639->646 647 e2a15 639->647 649 e2a3f-e2a42 640->649 650 e2aac-e2acf CreateFileW 640->650 666 e2bde 641->666 642->641 643->644 651 e29d7-e29ec call c13b3 644->651 652 e29d2 644->652 646->647 653 e2a1c-e2a31 call c13b3 647->653 654 e2a17 647->654 658 e2a6f-e2a73 call c50e9 649->658 659 e2a44-e2a47 649->659 656 e2b0c-e2b20 SetFilePointerEx 650->656 657 e2ad1-e2adb GetLastError 650->657 651->666 652->651 653->666 654->653 662 e2b5a-e2b65 SetEndOfFile 656->662 663 e2b22-e2b2c GetLastError 656->663 667 e2add-e2ae6 657->667 668 e2ae8 657->668 673 e2a78-e2a7d 658->673 669 e2a68-e2a6a 659->669 670 e2a49-e2a4c 659->670 675 e2b9c-e2ba9 SetFilePointerEx 662->675 676 e2b67-e2b71 GetLastError 662->676 671 e2b2e-e2b37 663->671 672 e2b39 663->672 666->630 667->668 677 e2aef-e2b02 call c13b3 668->677 678 e2aea 668->678 669->617 679 e2a5e-e2a63 670->679 680 e2a4e-e2a54 670->680 671->672 684 e2b3b 672->684 685 e2b40-e2b55 call c13b3 672->685 682 e2a9e-e2aa7 673->682 683 e2a7f-e2a99 call c13b3 673->683 675->638 681 e2bab-e2bb5 GetLastError 675->681 686 e2b7e 676->686 687 e2b73-e2b7c 676->687 677->656 678->677 679->638 680->679 689 e2bb7-e2bc0 681->689 690 e2bc2 681->690 682->638 683->666 684->685 685->666 693 e2b85-e2b9a call c13b3 686->693 694 e2b80 686->694 687->686 689->690 696 e2bc9-e2bd9 call c13b3 690->696 697 e2bc4 690->697 693->666 694->693 696->666 697->696
                          APIs
                          • SetEvent.KERNEL32(?,?,?,?,?,000E23C7,?,?), ref: 000E2826
                          • GetLastError.KERNEL32(?,?,?,?,000E23C7,?,?), ref: 000E2830
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,000E23C7,?,?), ref: 000E2875
                          • GetLastError.KERNEL32(?,?,?,?,000E23C7,?,?), ref: 000E2880
                          • ResetEvent.KERNEL32(?,?,?,?,?,000E23C7,?,?), ref: 000E28B8
                          • GetLastError.KERNEL32(?,?,?,?,000E23C7,?,?), ref: 000E28C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$Event$ObjectResetSingleWait
                          • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 1865021742-2308732301
                          • Opcode ID: 61b64bcb36a081320bf16e4ac38d55b94dcd1cdd569552f390d2b2a022d65b2a
                          • Instruction ID: 6fc01bdd5abbec25939fd27500d943693dc1a0fe1dd62200dc030aeeccb0b6fe
                          • Opcode Fuzzy Hash: 61b64bcb36a081320bf16e4ac38d55b94dcd1cdd569552f390d2b2a022d65b2a
                          • Instruction Fuzzy Hash: D5911937A85672BFD3341AA69E4AF9A6ADCBF00B20F110324FE41BE5D1D7A5DC4085D1
                          Function 000C6A03 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1012 c6a03-c6a4b call f0e00 call c4e3a 1017 c6a4d-c6a5a call 10534a 1012->1017 1018 c6a5f-c6a69 call db525 1012->1018 1023 c6bfb-c6c05 1017->1023 1024 c6a6b-c6a70 1018->1024 1025 c6a72-c6a81 call db52b 1018->1025 1026 c6c07-c6c0c CloseHandle 1023->1026 1027 c6c10-c6c14 1023->1027 1028 c6aa7-c6ac2 call c29f6 1024->1028 1032 c6a86-c6a8a 1025->1032 1026->1027 1030 c6c1f-c6c23 1027->1030 1031 c6c16-c6c1b CloseHandle 1027->1031 1039 c6acb-c6adf call d868d 1028->1039 1040 c6ac4-c6ac9 1028->1040 1035 c6c2e-c6c30 1030->1035 1036 c6c25-c6c2a CloseHandle 1030->1036 1031->1030 1037 c6a8c 1032->1037 1038 c6aa1-c6aa4 1032->1038 1042 c6c35-c6c49 call c3251 * 2 1035->1042 1043 c6c32-c6c33 CloseHandle 1035->1043 1036->1035 1041 c6a91-c6a9c call 10534a 1037->1041 1038->1028 1050 c6af9-c6b0d call d8747 1039->1050 1051 c6ae1 1039->1051 1040->1041 1041->1023 1056 c6c4b-c6c4e call c3136 1042->1056 1057 c6c53-c6c57 1042->1057 1043->1042 1064 c6b0f-c6b14 1050->1064 1065 c6b16-c6b31 call c2a38 1050->1065 1054 c6ae6 1051->1054 1058 c6aeb-c6af4 call 10534a 1054->1058 1056->1057 1061 c6c59-c6c5c call c3136 1057->1061 1062 c6c61-c6c67 1057->1062 1070 c6bf8 1058->1070 1061->1062 1064->1054 1071 c6b3d-c6b56 call c2a38 1065->1071 1072 c6b33-c6b38 1065->1072 1070->1023 1075 c6b58-c6b5d 1071->1075 1076 c6b62-c6b8e CreateProcessW 1071->1076 1072->1041 1075->1041 1077 c6bcb-c6bea call 105b97 1076->1077 1078 c6b90-c6b9a GetLastError 1076->1078 1077->1023 1085 c6bec-c6bf3 call 10534a 1077->1085 1079 c6b9c-c6ba5 1078->1079 1080 c6ba7 1078->1080 1079->1080 1083 c6bae-c6bc6 call c13b3 1080->1083 1084 c6ba9 1080->1084 1083->1058 1084->1083 1085->1070
                          APIs
                            • Part of subcall function 000C4E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C114E,?,00000000), ref: 000C4E5B
                          • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C6C0A
                          • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C6C19
                          • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C6C28
                          • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C6C33
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp, xrefs: 000C6BB4
                          • Failed to allocate full command-line., xrefs: 000C6B58
                          • Failed to append original command line., xrefs: 000C6B33
                          • Failed to launch clean room process: %ls, xrefs: 000C6BC1
                          • Failed to append %ls, xrefs: 000C6AE6
                          • burn.filehandle.self, xrefs: 000C6B0F
                          • Failed to get path for current process., xrefs: 000C6A4D
                          • "%ls" %ls, xrefs: 000C6B44
                          • D, xrefs: 000C6B73
                          • burn.clean.room, xrefs: 000C6AA8
                          • -%ls="%ls", xrefs: 000C6AB0
                          • %ls %ls, xrefs: 000C6B1F
                          • Failed to wait for clean room process: %ls, xrefs: 000C6BED
                          • Failed to cache to clean room., xrefs: 000C6A8C
                          • Failed to allocate parameters for unelevated process., xrefs: 000C6AC4
                          • burn.filehandle.attached, xrefs: 000C6AE1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle$FileModuleName
                          • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp
                          • API String ID: 3884789274-2146600369
                          • Opcode ID: 677edc4f589296e7417849cff91558cb9ec65f06932e15a1f667f79222cd579c
                          • Instruction ID: cf6c541652523a646cabc68b3605346edc683f95ff5e9b8e438ef9fa25723610
                          • Opcode Fuzzy Hash: 677edc4f589296e7417849cff91558cb9ec65f06932e15a1f667f79222cd579c
                          • Instruction Fuzzy Hash: A5717232D40629ABCF219BD4CC41FEFBBB8EF04720F104519F950B6292D7B19E418BA1
                          Function 000D916B Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1089 d916b-d91b0 call f0e00 call c9322 1094 d91bc-d91cd call ce107 1089->1094 1095 d91b2-d91b7 1089->1095 1101 d91cf-d91d4 1094->1101 1102 d91d9-d91ea call cdf6e 1094->1102 1096 d9455-d945c call 10534a 1095->1096 1103 d945d-d9462 1096->1103 1101->1096 1111 d91ec-d91f1 1102->1111 1112 d91f6-d920b call ce1c6 1102->1112 1105 d946a-d946e 1103->1105 1106 d9464-d9465 call c3136 1103->1106 1109 d9478-d947d 1105->1109 1110 d9470-d9473 call c3136 1105->1110 1106->1105 1115 d947f-d9480 call c3136 1109->1115 1116 d9485-d9492 call cdebd 1109->1116 1110->1109 1111->1096 1120 d920d-d9212 1112->1120 1121 d9217-d9227 call eda49 1112->1121 1115->1116 1123 d949c-d94a0 1116->1123 1124 d9494-d9497 call c3136 1116->1124 1120->1096 1130 d9229-d922e 1121->1130 1131 d9233-d92a6 call d78e6 1121->1131 1128 d94aa-d94ae 1123->1128 1129 d94a2-d94a5 call c3136 1123->1129 1124->1123 1133 d94b8-d94be 1128->1133 1134 d94b0-d94b3 call c51ae 1128->1134 1129->1128 1130->1096 1138 d92a8-d92ad 1131->1138 1139 d92b2-d92b7 1131->1139 1134->1133 1138->1096 1140 d92be-d92d9 call c72c6 GetCurrentProcess call 105982 1139->1140 1141 d92b9 1139->1141 1145 d92de-d92f5 call c9fb1 1140->1145 1141->1140 1148 d930f-d9326 call c9fb1 1145->1148 1149 d92f7 1145->1149 1155 d932f-d9334 1148->1155 1156 d9328-d932d 1148->1156 1150 d92fc-d930a call 10534a 1149->1150 1150->1103 1157 d9336-d9348 call c9f57 1155->1157 1158 d9390-d9395 1155->1158 1156->1150 1167 d934a-d934f 1157->1167 1168 d9354-d9364 call c4ea9 1157->1168 1159 d93b5-d93be 1158->1159 1160 d9397-d93a9 call c9f57 1158->1160 1163 d93ca-d93de call dc141 1159->1163 1164 d93c0-d93c3 1159->1164 1160->1159 1174 d93ab-d93b0 1160->1174 1176 d93e7 1163->1176 1177 d93e0-d93e5 1163->1177 1164->1163 1166 d93c5-d93c8 1164->1166 1166->1163 1171 d93ed-d93f0 1166->1171 1167->1096 1180 d9366-d936b 1168->1180 1181 d9370-d9384 call c9f57 1168->1181 1178 d93f7-d940d call cf289 1171->1178 1179 d93f2-d93f5 1171->1179 1174->1096 1176->1171 1177->1096 1186 d940f-d9414 1178->1186 1187 d9416-d942e call ce8bf 1178->1187 1179->1103 1179->1178 1180->1096 1181->1158 1188 d9386-d938b 1181->1188 1186->1096 1191 d9437-d944e call ce5e2 1187->1191 1192 d9430-d9435 1187->1192 1188->1096 1191->1103 1195 d9450 1191->1195 1192->1096 1195->1096
                          Strings
                          • Failed to initialize variables., xrefs: 000D91B2
                          • Failed to get manifest stream from container., xrefs: 000D920D
                          • Failed to set source process folder variable., xrefs: 000D9386
                          • WixBundleElevated, xrefs: 000D92E6, 000D92F7
                          • Failed to set source process path variable., xrefs: 000D934A
                          • WixBundleUILevel, xrefs: 000D9317, 000D9328
                          • Failed to load manifest., xrefs: 000D9229
                          • Failed to get source process folder from path., xrefs: 000D9366
                          • Failed to open attached UX container., xrefs: 000D91CF
                          • Failed to extract bootstrapper application payloads., xrefs: 000D9430
                          • Failed to open manifest stream., xrefs: 000D91EC
                          • WixBundleSourceProcessPath, xrefs: 000D9339
                          • WixBundleOriginalSource, xrefs: 000D939A
                          • Failed to get unique temporary folder for bootstrapper application., xrefs: 000D940F
                          • Failed to overwrite the %ls built-in variable., xrefs: 000D92FC
                          • Failed to set original source variable., xrefs: 000D93AB
                          • WixBundleSourceProcessFolder, xrefs: 000D9375
                          • Failed to parse command line., xrefs: 000D92A8
                          • Failed to initialize internal cache functionality., xrefs: 000D93E0
                          • Failed to load catalog files., xrefs: 000D9450
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalInitializeSection
                          • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                          • API String ID: 32694325-1564579409
                          • Opcode ID: 608b58c3ea5173c04f43c32a6f5c4352a239c0ad43565ef39832b388295866cc
                          • Instruction ID: f0c292720048d03d42f9f9123cf217e60e5f0ae2e64a279a90070b1b0ae66cea
                          • Opcode Fuzzy Hash: 608b58c3ea5173c04f43c32a6f5c4352a239c0ad43565ef39832b388295866cc
                          • Instruction Fuzzy Hash: 09A17772A40719BBDB269BE4CC45FEEB7ACBB04700F054227F515E7282D774EA4587A0
                          Function 000DA2FF Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 da2ff-da34d CreateFileW 1302 da34f-da359 GetLastError 1301->1302 1303 da393-da3a3 call c3fe8 1301->1303 1305 da35b-da364 1302->1305 1306 da366 1302->1306 1310 da3bb-da3c6 call c35c3 1303->1310 1311 da3a5-da3b6 call 10534a 1303->1311 1305->1306 1308 da36d-da38e call c13b3 call 10534a 1306->1308 1309 da368 1306->1309 1324 da537-da547 call effc5 1308->1324 1309->1308 1318 da3cb-da3cf 1310->1318 1320 da530-da531 CloseHandle 1311->1320 1321 da3ea-da3ef 1318->1321 1322 da3d1-da3e5 call 10534a 1318->1322 1320->1324 1321->1320 1323 da3f5-da404 SetFilePointerEx 1321->1323 1322->1320 1326 da43e-da44e call c450a 1323->1326 1327 da406-da410 GetLastError 1323->1327 1338 da45a-da46b SetFilePointerEx 1326->1338 1339 da450-da455 1326->1339 1330 da41d 1327->1330 1331 da412-da41b 1327->1331 1334 da41f 1330->1334 1335 da424-da439 call c13b3 1330->1335 1331->1330 1334->1335 1341 da528-da52f call 10534a 1335->1341 1342 da46d-da477 GetLastError 1338->1342 1343 da4a5-da4b5 call c450a 1338->1343 1339->1341 1341->1320 1346 da479-da482 1342->1346 1347 da484 1342->1347 1343->1339 1353 da4b7-da4c7 call c450a 1343->1353 1346->1347 1348 da48b-da4a0 call c13b3 1347->1348 1349 da486 1347->1349 1348->1341 1349->1348 1353->1339 1357 da4c9-da4da SetFilePointerEx 1353->1357 1358 da4dc-da4e6 GetLastError 1357->1358 1359 da511-da521 call c450a 1357->1359 1361 da4e8-da4f1 1358->1361 1362 da4f3 1358->1362 1359->1320 1367 da523 1359->1367 1361->1362 1364 da4fa-da50f call c13b3 1362->1364 1365 da4f5 1362->1365 1364->1341 1365->1364 1367->1341
                          APIs
                          • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,000C6A86,?,?,00000000,000C6A86,00000000), ref: 000DA342
                          • GetLastError.KERNEL32 ref: 000DA34F
                            • Part of subcall function 000C35C3: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 000C3659
                          • SetFilePointerEx.KERNEL32(00000000,0010E4B8,00000000,00000000,00000000,?,00000000,0010E500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000DA3FC
                          • GetLastError.KERNEL32 ref: 000DA406
                          • CloseHandle.KERNELBASE(00000000,?,00000000,0010E500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000DA531
                          Strings
                          • Failed to seek to checksum in exe header., xrefs: 000DA434
                          • Failed to seek to signature table in exe header., xrefs: 000DA49B
                          • Failed to create engine file at path: %ls, xrefs: 000DA380
                          • Failed to copy engine from: %ls to: %ls, xrefs: 000DA3D7
                          • cabinet.dll, xrefs: 000DA4AA
                          • Failed to zero out original data offset., xrefs: 000DA523
                          • msi.dll, xrefs: 000DA443
                          • Failed to seek to beginning of engine file: %ls, xrefs: 000DA3A8
                          • Failed to update signature offset., xrefs: 000DA450
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DA373, 000DA42A, 000DA491, 000DA500
                          • Failed to seek to original data in exe burn section header., xrefs: 000DA50A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                          • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp$cabinet.dll$msi.dll
                          • API String ID: 3456208997-3286128809
                          • Opcode ID: 59b37135c553e478a85ffe45212089c19e42d55fc8b98325fd0e326c9962fda5
                          • Instruction ID: 96f4642e00218adb9b4ef0998f09558828c5e0f350fd95a39e9e7d0a19b9d5f8
                          • Opcode Fuzzy Hash: 59b37135c553e478a85ffe45212089c19e42d55fc8b98325fd0e326c9962fda5
                          • Instruction Fuzzy Hash: 3C51C476B417357BE7115B649C06FBF7AA9AF45B10F010526FE00BA281E7A49D0046F7
                          Function 000C9322 Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 430COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1369 c9322-c9c1d InitializeCriticalSection 1370 c9c20-c9c44 call c72e7 1369->1370 1373 c9c46-c9c4d 1370->1373 1374 c9c51-c9c62 call 10534a 1370->1374 1373->1370 1375 c9c4f 1373->1375 1377 c9c65-c9c75 call effc5 1374->1377 1375->1377
                          APIs
                          • InitializeCriticalSection.KERNEL32(000D91AC,000C7083,00000000,000C710B), ref: 000C9342
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalInitializeSection
                          • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                          • API String ID: 32694325-3635313340
                          • Opcode ID: 2e6299af99111e29d580c5b5973d7bffb20d14d2ede3cec735ad7ab8891b3dd0
                          • Instruction ID: e8474bb8db7fe709cb368595f4ebac9cfe8d32fe52a869be53ee646fe09d0d0f
                          • Opcode Fuzzy Hash: 2e6299af99111e29d580c5b5973d7bffb20d14d2ede3cec735ad7ab8891b3dd0
                          • Instruction Fuzzy Hash: D54267B0C156299FDB65CF5AC9897CDFAB4BB48304F9081EED64CBA650C7B00A89CF45
                          Function 000D9EED Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 152COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1381 d9eed-d9f36 call f0e00 1384 d9f3c-d9f4a GetCurrentProcess call 105982 1381->1384 1385 da0af-da0bc call c2c72 1381->1385 1388 d9f4f-d9f5c 1384->1388 1390 da0be 1385->1390 1391 da0cb-da0db call effc5 1385->1391 1392 d9fea-d9ff8 GetTempPathW 1388->1392 1393 d9f62-d9f71 GetWindowsDirectoryW 1388->1393 1394 da0c3-da0ca call 10534a 1390->1394 1396 d9ffa-da004 GetLastError 1392->1396 1397 da032-da044 UuidCreate 1392->1397 1398 d9fab-d9fbc call c4df4 1393->1398 1399 d9f73-d9f7d GetLastError 1393->1399 1394->1391 1405 da006-da00f 1396->1405 1406 da011 1396->1406 1401 da04d-da062 StringFromGUID2 1397->1401 1402 da046-da04b 1397->1402 1419 d9fbe-d9fc3 1398->1419 1420 d9fc8-d9fde call c1225 1398->1420 1407 d9f7f-d9f88 1399->1407 1408 d9f8a 1399->1408 1411 da064-da07e call c13b3 1401->1411 1412 da080-da0a1 call c29f6 1401->1412 1402->1394 1405->1406 1413 da018-da02d call c13b3 1406->1413 1414 da013 1406->1414 1407->1408 1415 d9f8c 1408->1415 1416 d9f91-d9fa6 call c13b3 1408->1416 1411->1394 1429 da0aa 1412->1429 1430 da0a3-da0a8 1412->1430 1413->1394 1414->1413 1415->1416 1416->1394 1419->1394 1420->1397 1431 d9fe0-d9fe5 1420->1431 1429->1385 1430->1394 1431->1394
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,000C714F), ref: 000D9F43
                            • Part of subcall function 00105982: OpenProcessToken.ADVAPI32(?,00000008,?,000C7083,00000000,?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059A0
                            • Part of subcall function 00105982: GetLastError.KERNEL32(?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059AA
                            • Part of subcall function 00105982: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000D92DE,00000000), ref: 00105A34
                          • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 000D9F69
                          • GetLastError.KERNEL32 ref: 000D9F73
                          • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 000D9FF0
                          • GetLastError.KERNEL32 ref: 000D9FFA
                          • UuidCreate.RPCRT4(?), ref: 000DA039
                          Strings
                          • Failed to convert working folder guid into string., xrefs: 000DA079
                          • Failed to ensure windows path for working folder ended in backslash., xrefs: 000D9FBE
                          • Failed to create working folder guid., xrefs: 000DA046
                          • Failed to get temp path for working folder., xrefs: 000DA028
                          • Failed to copy working folder path., xrefs: 000DA0BE
                          • Temp\, xrefs: 000D9FC8
                          • 8F, xrefs: 000D9F2F, 000DA090, 000DA0AA
                          • Failed to append bundle id on to temp path for working folder., xrefs: 000DA0A3
                          • Failed to concat Temp directory on windows path for working folder., xrefs: 000D9FE0
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000D9F97, 000DA01E, 000DA06F
                          • Failed to get windows path for working folder., xrefs: 000D9FA1
                          • %ls%ls\, xrefs: 000DA08B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
                          • String ID: %ls%ls\$8F$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 266130487-872061653
                          • Opcode ID: 8624c501ae165fb17616acb1a1bae042c248bb4808fb31b400cf4571ec38a4af
                          • Instruction ID: 17ae5b87a85a5f9431a9eec94a62c4c95e5aa112513d2296a6c1d06e2a81a2a4
                          • Opcode Fuzzy Hash: 8624c501ae165fb17616acb1a1bae042c248bb4808fb31b400cf4571ec38a4af
                          • Instruction Fuzzy Hash: 6341F632B45734A7D73097A0DC49FDEBAACAB01720F004166F905F7281E7B49E8446B7
                          Function 000E2BFC Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 216COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1432 e2bfc-e2c28 CoInitializeEx 1433 e2c3c-e2c87 call 10459a 1432->1433 1434 e2c2a-e2c37 call 10534a 1432->1434 1440 e2c89-e2cac call c13b3 call 10534a 1433->1440 1441 e2cb1-e2cd3 call 1045bb 1433->1441 1439 e2e9f-e2eaf call effc5 1434->1439 1458 e2e98-e2e99 CoUninitialize 1440->1458 1448 e2d8d-e2d98 SetEvent 1441->1448 1449 e2cd9-e2ce1 1441->1449 1454 e2d9a-e2da4 GetLastError 1448->1454 1455 e2dd7-e2de5 WaitForSingleObject 1448->1455 1452 e2ce7-e2ced 1449->1452 1453 e2e90-e2e93 call 1045cb 1449->1453 1452->1453 1460 e2cf3-e2cfb 1452->1460 1453->1458 1456 e2da6-e2daf 1454->1456 1457 e2db1 1454->1457 1461 e2e19-e2e24 ResetEvent 1455->1461 1462 e2de7-e2df1 GetLastError 1455->1462 1456->1457 1463 e2db5-e2dc5 call c13b3 1457->1463 1464 e2db3 1457->1464 1458->1439 1467 e2cfd-e2cff 1460->1467 1468 e2d75-e2d88 call 10534a 1460->1468 1465 e2e5b-e2e61 1461->1465 1466 e2e26-e2e30 GetLastError 1461->1466 1469 e2dfe 1462->1469 1470 e2df3-e2dfc 1462->1470 1493 e2dca-e2dd2 call 10534a 1463->1493 1464->1463 1476 e2e8b 1465->1476 1477 e2e63-e2e66 1465->1477 1471 e2e3d 1466->1471 1472 e2e32-e2e3b 1466->1472 1474 e2d12-e2d15 1467->1474 1475 e2d01 1467->1475 1468->1453 1479 e2e02-e2e17 call c13b3 1469->1479 1480 e2e00 1469->1480 1470->1469 1481 e2e3f 1471->1481 1482 e2e41-e2e56 call c13b3 1471->1482 1472->1471 1488 e2d6f 1474->1488 1489 e2d17 1474->1489 1484 e2d07-e2d10 1475->1484 1485 e2d03-e2d05 1475->1485 1476->1453 1486 e2e68-e2e82 call c13b3 1477->1486 1487 e2e87-e2e89 1477->1487 1479->1493 1480->1479 1481->1482 1482->1493 1495 e2d71-e2d73 1484->1495 1485->1495 1486->1493 1487->1453 1488->1495 1497 e2d1e-e2d23 1489->1497 1498 e2d4f-e2d54 1489->1498 1499 e2d2c-e2d31 1489->1499 1500 e2d5d-e2d62 1489->1500 1501 e2d3a-e2d3f 1489->1501 1502 e2d6b-e2d6d 1489->1502 1503 e2d48-e2d4d 1489->1503 1504 e2d56-e2d5b 1489->1504 1505 e2d64-e2d69 1489->1505 1506 e2d25-e2d2a 1489->1506 1507 e2d33-e2d38 1489->1507 1508 e2d41-e2d46 1489->1508 1493->1453 1495->1448 1495->1468 1497->1468 1498->1468 1499->1468 1500->1468 1501->1468 1502->1468 1503->1468 1504->1468 1505->1468 1506->1468 1507->1468 1508->1468
                          APIs
                          • CoInitializeEx.OLE32(00000000,00000000), ref: 000E2C1E
                          • CoUninitialize.COMBASE ref: 000E2E99
                          Strings
                          • Invalid operation for this state., xrefs: 000E2E7D
                          • Failed to set operation complete event., xrefs: 000E2DC5
                          • Failed to initialize cabinet.dll., xrefs: 000E2CA0
                          • Failed to extract all files from container, erf: %d:%X:%d, xrefs: 000E2D7A
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E2C94, 000E2DBB, 000E2E08, 000E2E47, 000E2E73
                          • Failed to wait for begin operation event., xrefs: 000E2E12
                          • Failed to reset begin operation event., xrefs: 000E2E51
                          • <the>.cab, xrefs: 000E2CBE
                          • Failed to initialize COM., xrefs: 000E2C2A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: InitializeUninitialize
                          • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 3442037557-433297685
                          • Opcode ID: 39db95b67f93605ddc40c8b8f89324886247273c835e2f0d38e556dc45a2c454
                          • Instruction ID: f1e86b26ab98ea7b09785b855bde6b1360238bcc1e0cb252e836a5c5d5237c83
                          • Opcode Fuzzy Hash: 39db95b67f93605ddc40c8b8f89324886247273c835e2f0d38e556dc45a2c454
                          • Instruction Fuzzy Hash: 1A518B379882F2AFC3341B678C05EAE6A9C9B447207260366FE017F3D4DBA89D4045D2
                          Function 000C5FAF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1513 c5faf-c6006 InitializeCriticalSection * 2 call d69c1 * 2 1518 c600c 1513->1518 1519 c612a-c6134 call cd197 1513->1519 1520 c6012-c601f 1518->1520 1524 c6139-c613d 1519->1524 1522 c611d-c6124 1520->1522 1523 c6025-c6051 lstrlenW * 2 CompareStringW 1520->1523 1522->1519 1522->1520 1525 c60a3-c60cf lstrlenW * 2 CompareStringW 1523->1525 1526 c6053-c6076 lstrlenW 1523->1526 1527 c614c-c6152 1524->1527 1528 c613f-c614b call 10534a 1524->1528 1525->1522 1529 c60d1-c60f4 lstrlenW 1525->1529 1530 c607c-c6081 1526->1530 1531 c6160-c6175 call c13b3 1526->1531 1528->1527 1534 c618c-c61a6 call c13b3 1529->1534 1535 c60fa-c60ff 1529->1535 1530->1531 1536 c6087-c6097 call c3493 1530->1536 1542 c617a-c6181 1531->1542 1534->1542 1535->1534 1539 c6105-c6115 call c3493 1535->1539 1548 c609d 1536->1548 1549 c6155-c615e 1536->1549 1539->1549 1551 c6117 1539->1551 1546 c6182-c618a call 10534a 1542->1546 1546->1527 1548->1525 1549->1546 1551->1522
                          APIs
                          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C5FDB
                          • InitializeCriticalSection.KERNEL32(000000D0,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C5FE4
                          • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C602A
                          • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C6034
                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C6048
                          • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C6058
                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C60A8
                          • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C60B2
                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C60C6
                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,000C6F2C,?,?,00000000,?,?), ref: 000C60D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: lstrlen$CompareCriticalInitializeSectionString
                          • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp
                          • API String ID: 3039292287-2192103917
                          • Opcode ID: 717a90d2ea3a754b788e5d829a19d31c77509ab8cb1e337f563f292b0a04f2de
                          • Instruction ID: bc6b3c248e80c0baf14dc93f41ad532d5486988e31343992281bbe23d7c7b847
                          • Opcode Fuzzy Hash: 717a90d2ea3a754b788e5d829a19d31c77509ab8cb1e337f563f292b0a04f2de
                          • Instruction Fuzzy Hash: 0851E571A40215BFC7249B69DC46F9FB7ACFB09760F08051AFA54D72D2DBB1A940CBA0
                          Function 000CDF8F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1553 cdf8f-cdfc1 1554 ce02b-ce047 GetCurrentProcess * 2 DuplicateHandle 1553->1554 1555 cdfc3-cdfe1 CreateFileW 1553->1555 1558 ce049-ce053 GetLastError 1554->1558 1559 ce081 1554->1559 1556 cdfe7-cdff1 GetLastError 1555->1556 1557 ce083-ce089 1555->1557 1560 cdffe 1556->1560 1561 cdff3-cdffc 1556->1561 1562 ce08b-ce091 1557->1562 1563 ce093 1557->1563 1564 ce055-ce05e 1558->1564 1565 ce060 1558->1565 1559->1557 1566 ce005-ce018 call c13b3 1560->1566 1567 ce000 1560->1567 1561->1560 1568 ce095-ce0a3 SetFilePointerEx 1562->1568 1563->1568 1564->1565 1569 ce067-ce07f call c13b3 1565->1569 1570 ce062 1565->1570 1582 ce01d-ce026 call 10534a 1566->1582 1567->1566 1573 ce0da-ce0e0 1568->1573 1574 ce0a5-ce0af GetLastError 1568->1574 1569->1582 1570->1569 1579 ce0fe-ce104 1573->1579 1580 ce0e2-ce0e6 call e323f 1573->1580 1577 ce0bc 1574->1577 1578 ce0b1-ce0ba 1574->1578 1583 ce0be 1577->1583 1584 ce0c3-ce0d8 call c13b3 1577->1584 1578->1577 1585 ce0eb-ce0ef 1580->1585 1582->1579 1583->1584 1591 ce0f6-ce0fd call 10534a 1584->1591 1585->1579 1588 ce0f1 1585->1588 1588->1591 1591->1579
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,000CE17F,000C70CB,?,?,000C710B), ref: 000CDFD6
                          • GetLastError.KERNEL32(?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CDFE7
                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?), ref: 000CE036
                          • GetCurrentProcess.KERNEL32(000000FF,00000000,?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CE03C
                          • DuplicateHandle.KERNELBASE(00000000,?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CE03F
                          • GetLastError.KERNEL32(?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CE049
                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CE09B
                          • GetLastError.KERNEL32(?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000CE0A5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                          • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\35\s\wix\src\burn\engine\container.cpp$crypt32.dll$feclient.dll
                          • API String ID: 2619879409-4061785158
                          • Opcode ID: c3c8e311e374f9d4a2865c781f0dfdaaa4234ac4372bc24bee856e56eb1c3397
                          • Instruction ID: 57b224926d92eb4021df11ce352a7b4c79a5004dea39e259bc7302c73f6ba1ca
                          • Opcode Fuzzy Hash: c3c8e311e374f9d4a2865c781f0dfdaaa4234ac4372bc24bee856e56eb1c3397
                          • Instruction Fuzzy Hash: 8941C436140251ABD7209F19DC49F5F7BEAABC4720F21452DFD549B282DBB2D8918BA0
                          Function 001070C0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1594 1070c0-1070e0 call c13ca 1597 1070e6-1070f4 call c4143 1594->1597 1598 1071ea-1071ee 1594->1598 1602 1070f9-107118 GetProcAddress 1597->1602 1600 1071f0-1071f3 call c3136 1598->1600 1601 1071f8-1071fc 1598->1601 1600->1601 1604 10711a 1602->1604 1605 10711f-107138 GetProcAddress 1602->1605 1604->1605 1606 10713a 1605->1606 1607 10713f-107158 GetProcAddress 1605->1607 1606->1607 1608 10715a 1607->1608 1609 10715f-107178 GetProcAddress 1607->1609 1608->1609 1610 10717a 1609->1610 1611 10717f-107198 GetProcAddress 1609->1611 1610->1611 1612 10719a 1611->1612 1613 10719f-1071b8 GetProcAddress 1611->1613 1612->1613 1614 1071ba 1613->1614 1615 1071bf-1071d9 GetProcAddress 1613->1615 1614->1615 1616 1071e0 1615->1616 1617 1071db 1615->1617 1616->1598 1617->1616
                          APIs
                            • Part of subcall function 000C13CA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C1409
                            • Part of subcall function 000C13CA: GetLastError.KERNEL32(?,?), ref: 000C1413
                            • Part of subcall function 000C4143: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 000C4174
                          • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 0010710A
                          • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 0010712A
                          • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 0010714A
                          • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 0010716A
                          • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 0010718A
                          • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 001071AA
                          • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 001071CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressProc$ErrorLast$DirectorySystem
                          • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                          • API String ID: 2510051996-1735120554
                          • Opcode ID: a07b0346084c5cea4f4dce8cad1eccb712df7735e7811364a001698a437ab672
                          • Instruction ID: 36ff73c1c1d87f8a8a3148581720dd7b7d35c2453f8ff8c9b86f9a02587bdf7f
                          • Opcode Fuzzy Hash: a07b0346084c5cea4f4dce8cad1eccb712df7735e7811364a001698a437ab672
                          • Instruction Fuzzy Hash: 9931CE72944218BFDB219F60ED22B6A7AB5EB11B55F40103EE50096AF0E7B119F7DF80
                          Function 000E323F Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,000CE0EB,?,00000000,?,000CE17F), ref: 000E3276
                          • GetLastError.KERNEL32(?,000CE0EB,?,00000000,?,000CE17F,000C70CB,?,?,000C710B,000C710B,00000000,?,00000000), ref: 000E327F
                          Strings
                          • wininet.dll, xrefs: 000E3255
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E32A3, 000E32E9, 000E3335
                          • Failed to create operation complete event., xrefs: 000E32F3
                          • Failed to create begin operation event., xrefs: 000E32AD
                          • Failed to create extraction thread., xrefs: 000E333F
                          • Failed to copy file name., xrefs: 000E3261
                          • Failed to wait for operation complete., xrefs: 000E3352
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateErrorEventLast
                          • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp$wininet.dll
                          • API String ID: 545576003-1251444568
                          • Opcode ID: 72bc297a03d7d0d3b854f2f8f3f739d0e7503948c6940efedc4769213ba30e36
                          • Instruction ID: 16880320862ae6408fadae7da6c5dc66fb5fec2deb68921e6fca303e1bd7d0f3
                          • Opcode Fuzzy Hash: 72bc297a03d7d0d3b854f2f8f3f739d0e7503948c6940efedc4769213ba30e36
                          • Instruction Fuzzy Hash: E121DC73A407767FD22116A65C4EFAB6EDCAF007A0B010625FE81BB581EBA1DE4045E1
                          Function 00104DB9 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00104DE1
                          • GetProcAddress.KERNEL32(SystemFunction041), ref: 00104DF3
                          • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00104E36
                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00104E4A
                          • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00104E82
                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00104E96
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressProc$ErrorLast
                          • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\35\s\wix\src\libs\dutil\cryputil.cpp
                          • API String ID: 4214558900-2927822183
                          • Opcode ID: 9a9f04c0e90a7eda57de22e590d291aaf9ac51699dd66e01b60aa97351139786
                          • Instruction ID: b34c3e4a0ae38d7be08ada1b4064667a7e2527710b4b06646dd794848fbe0cd4
                          • Opcode Fuzzy Hash: 9a9f04c0e90a7eda57de22e590d291aaf9ac51699dd66e01b60aa97351139786
                          • Instruction Fuzzy Hash: 7E2153B294123177C7315755ED89B5679F0FB44B54F020138EE80AAAE1E7F49CA39BE0
                          Function 000E23CD Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                          Download Yara Rule
                          APIs
                          • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000E23FD
                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 000E2415
                          • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 000E241A
                          • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 000E241D
                          • GetLastError.KERNEL32(?,?), ref: 000E2427
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 000E2496
                          • GetLastError.KERNEL32(?,?), ref: 000E24A3
                          Strings
                          • Failed to duplicate handle to cab container., xrefs: 000E2455
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E244B, 000E24C7
                          • <the>.cab, xrefs: 000E23F6
                          • Failed to add virtual file pointer for cab container., xrefs: 000E247C
                          • Failed to open cabinet file: %hs, xrefs: 000E24D4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                          • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 3030546534-3716170073
                          • Opcode ID: 9adcf17efcf2fe7fcc580e41d5ec5fe9280e89324fc275730350b590108b4eb6
                          • Instruction ID: 633cc67be6022284d40e0a22aeb1a35f4056e071760023fe0ee4e217b879e796
                          • Opcode Fuzzy Hash: 9adcf17efcf2fe7fcc580e41d5ec5fe9280e89324fc275730350b590108b4eb6
                          • Instruction Fuzzy Hash: 1731F5B2941635BFE7215B969C49E8A7F9CFF04760F114125FD04BB290D770AD418AE0
                          Function 000D868D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,000C6ADB,?,?), ref: 000D86AD
                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,000C6ADB,?,?), ref: 000D86B3
                          • DuplicateHandle.KERNELBASE(00000000,?,?,000C6ADB,?,?), ref: 000D86B6
                          • GetLastError.KERNEL32(?,?,000C6ADB,?,?), ref: 000D86C0
                          • CloseHandle.KERNEL32(000000FF,?,000C6ADB,?,?), ref: 000D8739
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\core.cpp, xrefs: 000D86E4
                          • %ls -%ls=%u, xrefs: 000D870D
                          • Failed to duplicate file handle for attached container., xrefs: 000D86EE
                          • Failed to append the file handle to the command line., xrefs: 000D8721
                          • burn.filehandle.attached, xrefs: 000D8706
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                          • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$c:\agent\_work\35\s\wix\src\burn\engine\core.cpp
                          • API String ID: 4224961946-3495676732
                          • Opcode ID: 73b8a7663fd4dded9caed0ec9ec9f53bfe427f304b6bcdbbd2a9e8c5caa9a2a0
                          • Instruction ID: 0301240e7c103bd8963a3f251d382d26d56da33e3668aad20542df0e866556e2
                          • Opcode Fuzzy Hash: 73b8a7663fd4dded9caed0ec9ec9f53bfe427f304b6bcdbbd2a9e8c5caa9a2a0
                          • Instruction Fuzzy Hash: 1511D632A41325B7C7249BA59C05E8E7BA8AF04B70F204711F920FB2D0DBB4DE0197A0
                          Function 00105982 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcessToken.ADVAPI32(?,00000008,?,000C7083,00000000,?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059A0
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059AA
                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059DC
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,000D92DE,00000000), ref: 001059F5
                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000D92DE,00000000), ref: 00105A34
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00105A22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp
                          • API String ID: 4040495316-853185775
                          • Opcode ID: e04053fe11bed0c3b33424a9e3b97867a33ab5c61b6bfa84ceadfc43f6b8518a
                          • Instruction ID: 565e5cf2801c4d86cb87060ef051f0d993d20aaad8de4aa474b6476a37dbdb84
                          • Opcode Fuzzy Hash: e04053fe11bed0c3b33424a9e3b97867a33ab5c61b6bfa84ceadfc43f6b8518a
                          • Instruction Fuzzy Hash: 5521A436E00639EBC7219B598845A9FBFA9EF10760F024155FD85BB290D3F08E40DE90
                          Function 000D8747 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 000D877B
                          • CloseHandle.KERNEL32(00000000), ref: 000D87EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateFileHandle
                          • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                          • API String ID: 3498533004-3263533295
                          • Opcode ID: 25b66596f83fba38952247067fcf7f2a60ae83c901ecca39c1d237c6771b1b28
                          • Instruction ID: e23388e587db0554504f22a7345f863fe9521eedd76bce59a6c24fb52d270047
                          • Opcode Fuzzy Hash: 25b66596f83fba38952247067fcf7f2a60ae83c901ecca39c1d237c6771b1b28
                          • Instruction Fuzzy Hash: C5110831A40311BBC7215B598C45F8F7AA8AB41B70F208252FC20E73D1DBB0D55187B0
                          Function 000C4143 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 000C4174
                          • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 000C41A1
                          • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 000C41CD
                          • GetLastError.KERNEL32(00000000,0010E564,?,00000000,?,00000000,?,00000000), ref: 000C420B
                          • GlobalFree.KERNEL32(00000000), ref: 000C423C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$Global$AllocFree
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 1145190524-3288686069
                          • Opcode ID: 6da83fba81194e7d0feeaaa1bd2327b7300f28ea165182943f2e4810d13e0412
                          • Instruction ID: 814194c9690b69c9633b2ff2514489566ee048ff5e09958425d9c12e34c3cb07
                          • Opcode Fuzzy Hash: 6da83fba81194e7d0feeaaa1bd2327b7300f28ea165182943f2e4810d13e0412
                          • Instruction Fuzzy Hash: 0131C27B940235ABC7219B968C11FEFBAE8FF54750F054229FD84EB281D670CD4086E1
                          Function 000E2588 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 000E262E
                          • GetLastError.KERNEL32(?,?,?), ref: 000E2638
                          Strings
                          • Failed to move file pointer 0x%x bytes., xrefs: 000E2669
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E265C
                          • Invalid seek type., xrefs: 000E25C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer
                          • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 2976181284-852963465
                          • Opcode ID: cd51db56c9e2cda16808a3d0ce009da38a2974edf8ab9ee603693d091c25742d
                          • Instruction ID: da0b853ed82967d3a04c5b44a7d1c1a7f5fc425113961934cbaae3710a54807d
                          • Opcode Fuzzy Hash: cd51db56c9e2cda16808a3d0ce009da38a2974edf8ab9ee603693d091c25742d
                          • Instruction Fuzzy Hash: C131BE72A0055AFFCB14DFA9DD84DAEBBA9FF04364B048625FD14A7650E770EE108B90
                          Function 000C1B27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?), ref: 000C1B35
                          • GetLastError.KERNEL32(?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?,00000000,00000000), ref: 000C1B43
                          • CreateDirectoryW.KERNEL32(?,840F01E8,000C714F,?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?,00000000), ref: 000C1BB3
                          • GetLastError.KERNEL32(?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?,00000000,00000000), ref: 000C1BBD
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\dirutil.cpp, xrefs: 000C1BED
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateDirectoryErrorLast
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\dirutil.cpp
                          • API String ID: 1375471231-3536287376
                          • Opcode ID: f554adcbe1b9d6dcbc042208c143baf098646cd75f90f83a31ff78ce4cb44582
                          • Instruction ID: c5bb12dc499980b466c1de3262b3c299089f07091653be57b8946c3f297b76b0
                          • Opcode Fuzzy Hash: f554adcbe1b9d6dcbc042208c143baf098646cd75f90f83a31ff78ce4cb44582
                          • Instruction Fuzzy Hash: 7321D13AA4026197DB711BE54C44FFFAAD4AF57BA0F114429FD44EB142F7708C429AD1
                          Function 000C736B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,000C828E,000C828E,?,000C7301,?,?,00000000), ref: 000C73A7
                          • GetLastError.KERNEL32(?,000C7301,?,?,00000000,?,?,000C828E,?,000C9C40,?,?,?,?,?), ref: 000C73D6
                          Strings
                          • version.dll, xrefs: 000C7399
                          • Failed to compare strings., xrefs: 000C7404
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C73FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareErrorLastString
                          • String ID: Failed to compare strings.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp$version.dll
                          • API String ID: 1733990998-1155024929
                          • Opcode ID: 0e1ce0d78d60f25e6504bc5d0ce4cbe3024940f02de5022d4a8c207e4397ae4e
                          • Instruction ID: 4242f72e7111f4c82d36208876492cfd0f30fce26b02f92ebeb168bd738ee24a
                          • Opcode Fuzzy Hash: 0e1ce0d78d60f25e6504bc5d0ce4cbe3024940f02de5022d4a8c207e4397ae4e
                          • Instruction Fuzzy Hash: 1821D433618165ABC7258F98CD45F9EBBA5AB45760B21031CF969AB2C0D7B0EE01DE90
                          Function 00107B1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00107B2E
                          • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0012F7E4,00000001,00000000,000C6FB9,?,?,?,?,?,?), ref: 00107B66
                          • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0012F7E4,?,?,?,?,?,?), ref: 00107B72
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FromProg$Initialize
                          • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                          • API String ID: 4047641309-2356320334
                          • Opcode ID: 0487a14465c008e13aabdac363b7465dbfc664ecd79f69a1ef4b53d38a37b1c5
                          • Instruction ID: badbec1d7b8582e396bdd437609f5cb9d90cbdc7da0e6ac74aa00fe2877bbb79
                          • Opcode Fuzzy Hash: 0487a14465c008e13aabdac363b7465dbfc664ecd79f69a1ef4b53d38a37b1c5
                          • Instruction Fuzzy Hash: 30F0A730F4823197D36117666C08F16BDA8EB42B51F14143AE891D64E0D3D0A893CAA0
                          Function 000E24F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000E2F0D: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000E2522,?,?,?), ref: 000E2F35
                            • Part of subcall function 000E2F0D: GetLastError.KERNEL32(?,000E2522,?,?,?), ref: 000E2F3F
                          • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 000E2530
                          • GetLastError.KERNEL32 ref: 000E253A
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E255E
                          • Failed to read during cabinet extraction., xrefs: 000E2568
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLast$PointerRead
                          • String ID: Failed to read during cabinet extraction.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 2170121939-1030764530
                          • Opcode ID: 51c2bb9589221e1d856af1963d928b2b0d3895f4e02b585c683c56809b252080
                          • Instruction ID: 0a453bf83a0a4d42bd755ba5e773cdd410d8353b919d829f3d797f372ac1d42e
                          • Opcode Fuzzy Hash: 51c2bb9589221e1d856af1963d928b2b0d3895f4e02b585c683c56809b252080
                          • Instruction Fuzzy Hash: 4401A133A405B9BBCB119FA5ED08D8A7FA8FF09764B014125FD14B7251D770E9119AD0
                          Function 000E2F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000E2522,?,?,?), ref: 000E2F35
                          • GetLastError.KERNEL32(?,000E2522,?,?,?), ref: 000E2F3F
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E2F63
                          • Failed to move to virtual file pointer., xrefs: 000E2F6D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer
                          • String ID: Failed to move to virtual file pointer.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 2976181284-742571992
                          • Opcode ID: 9f0111aa41c73e3a292500ac6efcb5605fc039e72505c2b98ce53314c0affe36
                          • Instruction ID: 4f8e8901bccdfe87370526f89a2a892fbdad511d87c0322d5aaa532d1931d0d3
                          • Opcode Fuzzy Hash: 9f0111aa41c73e3a292500ac6efcb5605fc039e72505c2b98ce53314c0affe36
                          • Instruction Fuzzy Hash: 3501DF33540636BBD7251A869C0498BFF69BF007B17128135FD1CAA500DB319C108AD0
                          Function 000C35C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 000C3659
                          • GetLastError.KERNEL32 ref: 000C36BC
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C36E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastRead
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 1948546556-3288686069
                          • Opcode ID: 257e9eac722c4ee26d1f22188f3e899c81bd84d8d400bfeedf115a09754687df
                          • Instruction ID: 0410bc56db58fb7dbd527a692140a3f9ea86e3470b8736d2132015c91eb14d0a
                          • Opcode Fuzzy Hash: 257e9eac722c4ee26d1f22188f3e899c81bd84d8d400bfeedf115a09754687df
                          • Instruction Fuzzy Hash: E3316D71A10269ABDB219F55CC50BEEB7E4BB08751F00C0AEE949E7340D6B4DEC49F94
                          Function 000C450A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,000C3680,?,?,?), ref: 000C452E
                          • GetLastError.KERNEL32(?,?,000C3680,?,?,?), ref: 000C4538
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C4561
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastWrite
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 442123175-3288686069
                          • Opcode ID: ef38b09a8127baad255f517d2ab8c21bc16eceabf955efacaa2d3d5b8d2c3fff
                          • Instruction ID: 653815eaa1bf6cb1599d1c16054d6eb3fbcc5707b095ddd1e5c46d4a2ed0f503
                          • Opcode Fuzzy Hash: ef38b09a8127baad255f517d2ab8c21bc16eceabf955efacaa2d3d5b8d2c3fff
                          • Instruction Fuzzy Hash: D7F03173A00529ABC7119F9ACD49FDFBBADBB44751B014519F954E7141D670EE0086E0
                          Function 000C1070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • ExitProcess.KERNEL32 ref: 000C10DA
                            • Part of subcall function 000C1C00: GetFileAttributesW.KERNELBASE(?,00000000,?,000C109F,?,00000000), ref: 000C1C09
                            • Part of subcall function 000C3B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 000C3B67
                            • Part of subcall function 000C3B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 000C3B73
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseExitFirstProcess
                          • String ID: %ls.local$Comctl32.dll
                          • API String ID: 3456499317-3877841543
                          • Opcode ID: c8f8be1cd022eeefd157449b4280f80bc5d9f26163341a00521d4ea1ca12ca96
                          • Instruction ID: 2b9f71c5800b7af998d29a0e70e88903597bf9fc4020a1f397493446c16c8156
                          • Opcode Fuzzy Hash: c8f8be1cd022eeefd157449b4280f80bc5d9f26163341a00521d4ea1ca12ca96
                          • Instruction Fuzzy Hash: 72F04470500159FADB20A792DD0AFCF7EB8DF11398F104159BD00A1413F7B19B50D661
                          Function 000C3FE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000DA39F,00000000,00000000,00000000,00000000,00000000), ref: 000C4000
                          • GetLastError.KERNEL32(?,?,?,000DA39F,00000000,00000000,00000000,00000000,00000000), ref: 000C400A
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C402E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastPointer
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 2976181284-3288686069
                          • Opcode ID: 46252fede348b60a0913303cca6825b2868a5ba2555d60006cef6d6989a064a1
                          • Instruction ID: 795d5aa997db7be79112a397829a3c25b82e2cd163f0f74c853786761f008003
                          • Opcode Fuzzy Hash: 46252fede348b60a0913303cca6825b2868a5ba2555d60006cef6d6989a064a1
                          • Instruction Fuzzy Hash: AFF0AF76A40129ABDB208F85DD09E9E7FE8FF05790B124118FE44AB251E271DD10DBE0
                          Function 000C582C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          Strings
                          • 0, xrefs: 000C5830
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C587D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: 0$c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 71445658-801289712
                          • Opcode ID: 74ad53aeda6b38c74d4faf2725cc720d00cbc60d658ab6b547c0911f844348d5
                          • Instruction ID: 885c76a1df424a8becf5e15a21eddf8acce80a634e76d83bf613b69fc5e95c36
                          • Opcode Fuzzy Hash: 74ad53aeda6b38c74d4faf2725cc720d00cbc60d658ab6b547c0911f844348d5
                          • Instruction Fuzzy Hash: C6F0F036A0066567CB710A568C04FAF6985DB457F1F198029BD49EB260EA21DC90CBE0
                          Function 000C13CA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C1409
                          • GetLastError.KERNEL32(?,?), ref: 000C1413
                          • LoadLibraryW.KERNELBASE(?,?,00000104,?,?,?), ref: 000C147C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: DirectoryErrorLastLibraryLoadSystem
                          • String ID:
                          • API String ID: 1230559179-0
                          • Opcode ID: e74f536b54068581bc9ac607a2aa4aa7cdfc5ae5360c63ac2a0292e1366892cc
                          • Instruction ID: 566314994924898f085c4e85a40637a68b54e096c9f56f45b0723baea8c67101
                          • Opcode Fuzzy Hash: e74f536b54068581bc9ac607a2aa4aa7cdfc5ae5360c63ac2a0292e1366892cc
                          • Instruction Fuzzy Hash: 372125B2D0133967DB209B649C49FDEB7ACAF01760F1145A9FE14E7283D670DD408AE0
                          Function 000C51AE Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,001053C8,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,0010535C,000001C7), ref: 000C51B8
                          • RtlFreeHeap.NTDLL(00000000,?,001053C8,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,0010535C,000001C7,?,?), ref: 000C51BF
                          • GetLastError.KERNEL32(?,001053C8,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,0010535C,000001C7,?,?), ref: 000C51C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$ErrorFreeLastProcess
                          • String ID:
                          • API String ID: 406640338-0
                          • Opcode ID: 744f7919703640a42e13a0da47fe1f111fde60a492bfcda17aeb843403d7012b
                          • Instruction ID: 47d89bed7aedb9647bf7f7a7695bb893c9eba644a771f6b7e68401c8d9c99bbb
                          • Opcode Fuzzy Hash: 744f7919703640a42e13a0da47fe1f111fde60a492bfcda17aeb843403d7012b
                          • Instruction Fuzzy Hash: FED0C237A0053467C62117E75C0CB5BBEE8EF006A37014524FD44D6500D671DC4082E1
                          Function 00108E1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(80070490,00000000,80070490,0,00000000,80070490,?,?,000DA742,WiX\Burn,PackageCache,00000000,0,00000000,00000000,80070490), ref: 00108E75
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000C59DD
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000C5A15
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$Close
                          • String ID: 0
                          • API String ID: 1979452859-3684773922
                          • Opcode ID: 88c17fa4bdce0e992a50811d34bce354803a250dd5ffdd8a42cd83bb13c31455
                          • Instruction ID: 5397c6b87f8764b198bff192466519942f255dc07ccdada8d2d8d97f1f8d102c
                          • Opcode Fuzzy Hash: 88c17fa4bdce0e992a50811d34bce354803a250dd5ffdd8a42cd83bb13c31455
                          • Instruction Fuzzy Hash: 82110236C0412AEFCF21AF94CC80AAEB664EB047A4B150539FCC137151CBB15D60D7D0
                          Function 00107B7D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00107BB2
                            • Part of subcall function 00107615: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00107BC3,00000000,?,00000000), ref: 0010762F
                            • Part of subcall function 00107615: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000EDA6D,?,000C70CB,?,00000000,?), ref: 0010763B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorHandleInitLastModuleVariant
                          • String ID:
                          • API String ID: 52713655-0
                          • Opcode ID: be3ad4ca92bb5ddc924bae90c6f0bf14c62a3fb712d35196ddf22d9feb77a8a2
                          • Instruction ID: 803c512bf588b4e6501178c5189e6ed72e41dfebc5c676a4c402485705ed4b45
                          • Opcode Fuzzy Hash: be3ad4ca92bb5ddc924bae90c6f0bf14c62a3fb712d35196ddf22d9feb77a8a2
                          • Instruction Fuzzy Hash: E3314D72E006299FDB01DFA8C884ADEF7F4AF08710F01456AE915BB391D771AD408BA0
                          Function 000C4F1E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,000DA7FC,0000001C,80070490,00000000,00000000,80070490), ref: 000C4F3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FolderPath
                          • String ID:
                          • API String ID: 1514166925-0
                          • Opcode ID: b4b395c5435c0f6bdce24037746be995bd18df16234cef3eead3607983df53fa
                          • Instruction ID: 53d6a5d25f4bd40ae55660293868d1d6ebc081c83797bf5eee46d721e368b1e8
                          • Opcode Fuzzy Hash: b4b395c5435c0f6bdce24037746be995bd18df16234cef3eead3607983df53fa
                          • Instruction Fuzzy Hash: 93E012722015287BE7112B615D11EEF7B9DEF05350B00446DBE44D7012DA71E55156B1
                          Function 000C1C00 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,00000000,?,000C109F,?,00000000), ref: 000C1C09
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 564ef4a3ee5b1cbda103ef3138c04faa92601cf94eb58769ba96b3db390c972a
                          • Instruction ID: 19a86378f3aac8d6a147c16336fc23160a3a10f73b4177dc29482ec5d0c1708f
                          • Opcode Fuzzy Hash: 564ef4a3ee5b1cbda103ef3138c04faa92601cf94eb58769ba96b3db390c972a
                          • Instruction Fuzzy Hash: 26D05B71241124578B685FA99844AEE7BD5DF037717454619FD55C6191C7315C12C7C0
                          Function 00104590 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 001045A8
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 1da1989776aaaba4ec04da19c6864e92bbb5e85201d9e6fa5c6e48be48b957d0
                          • Instruction ID: f9f5433f8f5cb17347fc73cbd86c2f0d170dd8f097e24a371a5209842484ca48
                          • Opcode Fuzzy Hash: 1da1989776aaaba4ec04da19c6864e92bbb5e85201d9e6fa5c6e48be48b957d0
                          • Instruction Fuzzy Hash: AEB012E126C322BE750811017D82C36120CC1D1F20330462AF040E10C1BB801DA00535
                          Function 001045B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 001045A8
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: f1450f765165c23db1a193bc75960a9536c94324b650c76dd29f94001a627bcf
                          • Instruction ID: 7814e215ba2c7941803c77c41f2fd8545c020cf4ac6155b3d871fa11f975a7f3
                          • Opcode Fuzzy Hash: f1450f765165c23db1a193bc75960a9536c94324b650c76dd29f94001a627bcf
                          • Instruction Fuzzy Hash: BFB012D126C322AE710851053E82C37124CD1D1F10330452AF044D21C1FB800C610132
                          Function 001045C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 001045A8
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: f469b5e708cb7f1bc54005d49941141686fd680513873216cc66e147186df613
                          • Instruction ID: 8aadc9ec1594fa8ad02970f0e3d2d32cbf6dc30dad92239b26861f0fd51979d7
                          • Opcode Fuzzy Hash: f469b5e708cb7f1bc54005d49941141686fd680513873216cc66e147186df613
                          • Instruction Fuzzy Hash: 4FB012D127C222AE710851053D82C76124CC1D1F10330852AF444D21C1FB800C600131
                          Function 000EFA76 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 000EFA8E
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 114bd5ce4a19189dc5c8d93d88817b30413b0e6300f29aa37f40d885bc1a9f9a
                          • Instruction ID: 1c77ac2daa9323585032b4ac6435cde70c82da27e50481eb1ecc2fd4e17e60e2
                          • Opcode Fuzzy Hash: 114bd5ce4a19189dc5c8d93d88817b30413b0e6300f29aa37f40d885bc1a9f9a
                          • Instruction Fuzzy Hash: B8B012C92AC093BC313C91027D06C7E020CC2C8B50334833AF405F61419A800C101036
                          Function 000EFA97 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 000EFA8E
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: 763cb5677f7c411f5780a36623b791be5249f534184da1e6c299fe9198f8bfb0
                          • Instruction ID: a8c36fce2ef7a630b4be156d8a0c467cea33a4d2c1a66065fca5fd7335b38464
                          • Opcode Fuzzy Hash: 763cb5677f7c411f5780a36623b791be5249f534184da1e6c299fe9198f8bfb0
                          • Instruction Fuzzy Hash: 57B012C925C0D3AC313891463E06C3F064CC2C4B10334413AF008E7241DA800C111033
                          Function 000EFAA7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 000EFA8E
                            • Part of subcall function 000EFD56: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EFDC9
                            • Part of subcall function 000EFD56: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EFDDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                          • String ID:
                          • API String ID: 1269201914-0
                          • Opcode ID: da286a21384043cc3a78ef9e768578d0db4784deb7b166ed7436ce9770d3e331
                          • Instruction ID: 03881545092e0aacd002d987421d3026784b84373ba1e549f358ee1ccdb1f498
                          • Opcode Fuzzy Hash: da286a21384043cc3a78ef9e768578d0db4784deb7b166ed7436ce9770d3e331
                          • Instruction Fuzzy Hash: 52B012C925C093AD313891463D47C3E024CD2C4B10334463AF009E7241DA800C101032
                          Function 000C1EF9 Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,00000000,00000000,?,000C2C85,?,?,000C149E,00000000,?,000C149E,?,?,00000104), ref: 000C1F29
                            • Part of subcall function 000C5369: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5371
                            • Part of subcall function 000C5369: HeapSize.KERNEL32(00000000,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5378
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$ProcessSizelstrlen
                          • String ID:
                          • API String ID: 3492610842-0
                          • Opcode ID: c60475c34048c1345c8e85cb9d765cca41711e31b9c32163e643d2962819eeb3
                          • Instruction ID: 4584e5ccfde15c8fc906f66c356a70714432c7a052845ea5fac6edcc5a65e470
                          • Opcode Fuzzy Hash: c60475c34048c1345c8e85cb9d765cca41711e31b9c32163e643d2962819eeb3
                          • Instruction Fuzzy Hash: 1C01B136200228BBCF116F15DC44FDF7BA9AB467A0F10412DFE14AB193C771E85196A0

                          Non-executed Functions

                          Function 000C1700 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 313fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 000C175F
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1772
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 000C17BD
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C17C7
                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 000C181A
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1824
                          • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 000C1878
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1889
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 000C195B
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 000C196F
                          • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 000C1998
                          • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 000C19BB
                          • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 000C19D4
                          • FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 000C19E4
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C19F9
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1A28
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1A4A
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1A6C
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1A77
                          • RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 000C1AA0
                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1AAA
                          • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 000C1ACE
                          • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 000C1AFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                          • String ID: *.*$DEL$c:\agent\_work\35\s\wix\src\libs\dutil\dirutil.cpp
                          • API String ID: 1544372074-2078274935
                          • Opcode ID: 0182f3a0d46b9b7466f0635b4266944248fbfcdc37b4a14b7944463c128b62b5
                          • Instruction ID: fcb0da5783cdce4f728ae2fa07a81c742b477f3edb806c2b5c8edea873b8e99b
                          • Opcode Fuzzy Hash: 0182f3a0d46b9b7466f0635b4266944248fbfcdc37b4a14b7944463c128b62b5
                          • Instruction Fuzzy Hash: 87A1FA73D02239A7DB7057658C05FEEB6E9AF02720F054699ED44BB192DB718D80CBE1
                          Function 000E5CCD Relevance: 43.0, Strings: 34, Instructions: 497COMMON
                          Download Yara Rule
                          Strings
                          • crypt32.dll, xrefs: 000E5EED
                          • Failed to add feature action properties to argument string., xrefs: 000E5F9C
                          • Failed to add obfuscated properties to argument string., xrefs: 000E5F7A
                          • REINSTALL=ALL, xrefs: 000E60B6, 000E6130
                          • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 000E617E
                          • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 000E60EF
                          • WixBundleExecutePackageCacheFolder, xrefs: 000E5E4D, 000E6387
                          • Failed to uninstall MSI package., xrefs: 000E62D2
                          • ACTION=ADMIN, xrefs: 000E61EC
                          • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 000E616A
                          • IGNOREDEPENDENCIES, xrefs: 000E6188, 000E6267
                          • Failed to add ADMIN property on admin install., xrefs: 000E6201
                          • Failed to add patch properties to obfuscated argument string., xrefs: 000E6002
                          • Failed to add patch properties to argument string., xrefs: 000E5FE0
                          • Failed to add properties to argument string., xrefs: 000E5F46
                          • %ls %ls=ALL, xrefs: 000E6199, 000E6278
                          • Failed to enable logging for package: %ls to: %ls, xrefs: 000E5F02
                          • feclient.dll, xrefs: 000E5DA8, 000E5E30, 000E5F00, 000E602E, 000E62BB
                          • Failed to install MSI package., xrefs: 000E6229
                          • Failed to add the list of dependencies to ignore to the properties., xrefs: 000E61AD
                          • WixBundleExecutePackageAction, xrefs: 000E5E9A, 000E6397
                          • Failed to build MSI path., xrefs: 000E5E80
                          • msasn1.dll, xrefs: 000E5EEE
                          • REBOOT=ReallySuppress, xrefs: 000E6083, 000E624F
                          • Failed to add feature action properties to obfuscated argument string., xrefs: 000E5FBE
                          • Failed to run maintanance mode for MSI package., xrefs: 000E61D9
                          • Failed to add reboot suppression property on uninstall., xrefs: 000E6260
                          • Failed to add reboot suppression property on install., xrefs: 000E609E
                          • Failed to add reinstall all property on minor upgrade., xrefs: 000E60CD
                          • Failed to perform minor upgrade of MSI package., xrefs: 000E611B
                          • Failed to get cached path for package: %ls, xrefs: 000E5E32
                          • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 000E60D8
                          • Failed to initialize external UI handler., xrefs: 000E5ED7
                          • VersionString, xrefs: 000E5D71, 000E5DD2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
                          • API String ID: 0-2033600224
                          • Opcode ID: c1b9a6f60c74546a67fb2acafc1fca83448c508cd1b865d3eabb5a678b6deca5
                          • Instruction ID: 666b18a810a4d18ca22c2ea79604b83da93a121e6852620ed2b957a811aeb6f9
                          • Opcode Fuzzy Hash: c1b9a6f60c74546a67fb2acafc1fca83448c508cd1b865d3eabb5a678b6deca5
                          • Instruction Fuzzy Hash: 3802C171940A69AFDB259F55CC41FE9B7A6BF54344F0001B9F908B7252C772EEA1CB80
                          Function 00105CFE Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 336COMMON
                          Download Yara Rule
                          APIs
                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00105D96
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105DA0
                          • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00105DED
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105DF3
                          • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00105E2D
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105E33
                          • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00105E73
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105E79
                          • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00105EB9
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105EBF
                          • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00105EFF
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00105F05
                          • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00105FF6
                          • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00106030
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0010603A
                          • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00106072
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0010607C
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001060B5
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001060BF
                          • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 001060FD
                          • LocalFree.KERNEL32(?), ref: 00106113
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\srputil.cpp, xrefs: 00105DC1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\srputil.cpp
                          • API String ID: 267631441-2763191617
                          • Opcode ID: 005cc96bde3192cfc41b84e1d4b9958b58767e3cd0cda3767efb6099d618c875
                          • Instruction ID: b42fb4edada40fe6709302731109648edaeeb6498b498059cf27d6005f323476
                          • Opcode Fuzzy Hash: 005cc96bde3192cfc41b84e1d4b9958b58767e3cd0cda3767efb6099d618c875
                          • Instruction Fuzzy Hash: 67C14576D4163DABDB208F958D48BDFFAB8AF44710F1105AAE944F7281D7B09E408FA1
                          Function 000EDD78 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 375COMMON
                          Download Yara Rule
                          Strings
                          • Failed to copy download source for pseudo bundle., xrefs: 000EDEAE
                          • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000EDE03
                          • Failed to copy local source path for pseudo bundle., xrefs: 000EDE80
                          • Failed to copy version for pseudo bundle., xrefs: 000EE172
                          • c:\agent\_work\35\s\wix\src\burn\engine\pseudobundle.cpp, xrefs: 000EDDBE, 000EDDF7, 000EDEE6, 000EE117
                          • Failed to copy filename for pseudo bundle., xrefs: 000EDE5C
                          • Failed to allocate memory for dependency providers., xrefs: 000EE123
                          • -%ls, xrefs: 000EDD95
                          • Failed to copy key for pseudo bundle payload., xrefs: 000EDE38
                          • Failed to append relation type to repair arguments for related bundle package, xrefs: 000EE036
                          • Failed to allocate memory for pseudo bundle payload hash., xrefs: 000EDEF2
                          • Failed to copy display name for pseudo bundle., xrefs: 000EE194
                          • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 000EE089
                          • Failed to copy uninstall arguments for related bundle package, xrefs: 000EE068
                          • Failed to append relation type to install arguments for related bundle package, xrefs: 000EDFED
                          • Failed to copy repair arguments for related bundle package, xrefs: 000EE015
                          • Failed to copy install arguments for related bundle package, xrefs: 000EDFCC
                          • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 000EDDCA
                          • Failed to copy key for pseudo bundle., xrefs: 000EDF85
                          • Failed to copy cache id for pseudo bundle., xrefs: 000EDFA4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$c:\agent\_work\35\s\wix\src\burn\engine\pseudobundle.cpp
                          • API String ID: 1357844191-2180241330
                          • Opcode ID: 6f58344f5e2604c15fd42d60f7c9510d09adaae9cb6c98d9b53598fa02f5835b
                          • Instruction ID: 08f0f8eaf1ac2fcffa59311526cd5d0d32c4cbc5b27202611c37fea094f9c160
                          • Opcode Fuzzy Hash: 6f58344f5e2604c15fd42d60f7c9510d09adaae9cb6c98d9b53598fa02f5835b
                          • Instruction Fuzzy Hash: CEC1C0716006AAAFDB25DF26DC41FAA7698FF08710F00462AF815EB352DB75ED508B90
                          Function 000C62C2 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140sleepshutdownCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 000C62EB
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C62F2
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000C62FC
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 000C634C
                          • GetLastError.KERNEL32 ref: 000C6356
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 000C639A
                          • GetLastError.KERNEL32 ref: 000C63A4
                          • Sleep.KERNEL32(000003E8), ref: 000C63E0
                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 000C63F1
                          • GetLastError.KERNEL32 ref: 000C63FB
                          • CloseHandle.KERNEL32(?), ref: 000C6451
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                          • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp
                          • API String ID: 2241679041-3673403848
                          • Opcode ID: 44bd2ec44a52e75c065631023d06efa804f9f8fc03fa5f0ff7565563514e9865
                          • Instruction ID: 23ffc8d64372cb7d9093e93f332ce5385a4b13a519e558d2e9069be4a82208dc
                          • Opcode Fuzzy Hash: 44bd2ec44a52e75c065631023d06efa804f9f8fc03fa5f0ff7565563514e9865
                          • Instruction Fuzzy Hash: AE41A876A40235BBE73057A58D4AFBF7AE8AB00B50F01052CFE81FB5C1DAB69D4045E1
                          Function 000D6BA2 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 164pipeCOMMON
                          Download Yara Rule
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 000D6BD0
                          • GetLastError.KERNEL32(?,00000000,?,?,000C6205,?), ref: 000D6BD9
                          • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,000C6205,?), ref: 000D6C7B
                          • GetLastError.KERNEL32(?,000C6205,?), ref: 000D6C88
                          • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,000C6205), ref: 000D6D03
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,000C6205,?), ref: 000D6D0E
                          • CloseHandle.KERNEL32(00000000,c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,000C6205,?), ref: 000D6D4E
                          • LocalFree.KERNEL32(00000000,?,000C6205,?), ref: 000D6D7C
                          Strings
                          • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 000D6BCB
                          • Failed to create the security descriptor for the connection event and pipe., xrefs: 000D6C07
                          • \\.\pipe\%ls, xrefs: 000D6C31
                          • Failed to allocate full name of cache pipe: %ls, xrefs: 000D6CE5
                          • \\.\pipe\%ls.Cache, xrefs: 000D6CCF
                          • Failed to allocate full name of pipe: %ls, xrefs: 000D6C47
                          • c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp, xrefs: 000D6BFD, 000D6CAC, 000D6D32
                          • Failed to create pipe: %ls, xrefs: 000D6CB9, 000D6D3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                          • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp
                          • API String ID: 1214480349-1161080552
                          • Opcode ID: c56080c657f7452618d54e6614d1a381848baa2182c26d5a1bd69e75d743f415
                          • Instruction ID: 64b3ac9117328bcc2999a33ee216231b51e5e60c75bfa43be6ad3f8271554fec
                          • Opcode Fuzzy Hash: c56080c657f7452618d54e6614d1a381848baa2182c26d5a1bd69e75d743f415
                          • Instruction Fuzzy Hash: AE51B472E40325BBDB215B94DD46FEE7AB5EF04710F100526FD40BA2D1E7B65E808AA1
                          Function 00104B6F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 172encryptionfileCOMMON
                          Download Yara Rule
                          APIs
                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,000DBB28,00000003,000007D0,00000003,?,000007D0,?,000007D0), ref: 00104BD4
                          • GetLastError.KERNEL32 ref: 00104BDE
                          • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 00104C1B
                          • GetLastError.KERNEL32 ref: 00104C25
                          • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00104C6C
                          • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00104C90
                          • GetLastError.KERNEL32 ref: 00104C9A
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 00104CD7
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00104CEE
                          • GetLastError.KERNEL32 ref: 00104D07
                          • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00104D3F
                          • GetLastError.KERNEL32 ref: 00104D49
                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 00104D82
                          • GetLastError.KERNEL32 ref: 00104D90
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\cryputil.cpp, xrefs: 00104CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\cryputil.cpp
                          • API String ID: 3955742341-4137755896
                          • Opcode ID: 945a5ce80a8ddb67088090ea81e0bd38aeb73d1418d85d1bceac3f1504ea36af
                          • Instruction ID: 867dcb8e98b741fcdb0ef6a05267c895e57640cc008cd1683659352f60f82071
                          • Opcode Fuzzy Hash: 945a5ce80a8ddb67088090ea81e0bd38aeb73d1418d85d1bceac3f1504ea36af
                          • Instruction Fuzzy Hash: B551F7B6E41179ABE7318B958D48BDA7AA4AF04751F0141A5BFC8FB1C0D7F08D809BE0
                          Function 000DBAC2 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          • Failed to move verified file to complete payload path: %ls, xrefs: 000DBC90
                          • Failed to get cached path for package with cache id: %ls, xrefs: 000DBAEC
                          • Failed to transfer working path to unverified path for payload: %ls., xrefs: 000DBBC8
                          • moving, xrefs: 000DBC4D
                          • Failed to create unverified path., xrefs: 000DBB92
                          • copying, xrefs: 000DBC54, 000DBC5C
                          • Failed to reset permissions on unverified cached payload: %ls, xrefs: 000DBC15
                          • Failed to concat complete cached path., xrefs: 000DBB18
                          • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 000DBBEF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
                          • API String ID: 0-1289240508
                          • Opcode ID: c05031db2c4a8e323530dc3c13f71a79756dc6d39f6ff8537595de4cd51928e7
                          • Instruction ID: 42478d52bd876a209d66bc89f2b5616fe6c628cca56666f95e8a9907dc7ce35f
                          • Opcode Fuzzy Hash: c05031db2c4a8e323530dc3c13f71a79756dc6d39f6ff8537595de4cd51928e7
                          • Instruction Fuzzy Hash: 51515131D50315FBDF226B94CD02FDE7E76AF14710F114162F900752A2DBB29E60ABA1
                          Function 000C7FA9 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(0000011C), ref: 000C7FF7
                          • GetLastError.KERNEL32 ref: 000C8001
                          Strings
                          • Failed to get OS info., xrefs: 000C802F
                          • Failed to set variant value., xrefs: 000C8122
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C8025
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastVersion
                          • String ID: Failed to get OS info.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 305913169-515845614
                          • Opcode ID: 61e2a5a609674b7f0d1c9779f1c1e7eaecf35a49aa95fbe7a33aa74a5f5fcbf5
                          • Instruction ID: c48a60f86c2594337941060952896e7aa30d2e371f862ee1ca0f588474f30eab
                          • Opcode Fuzzy Hash: 61e2a5a609674b7f0d1c9779f1c1e7eaecf35a49aa95fbe7a33aa74a5f5fcbf5
                          • Instruction Fuzzy Hash: DB41D671A00228ABDB709B59CC45FEF7BF8EB85710F10455DB944E7181DB709E85CB54
                          Function 00104FD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(0012F764,00000000,?,?,?,?,000E2DD0,8007139F,Invalid operation for this state.,c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00104FFE
                          • GetCurrentProcessId.KERNEL32(00000000,?,000E2DD0,8007139F,Invalid operation for this state.,c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 0010500E
                          • GetCurrentThreadId.KERNEL32 ref: 00105017
                          • GetLocalTime.KERNEL32(8007139F,?,000E2DD0,8007139F,Invalid operation for this state.,c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 0010502D
                          • LeaveCriticalSection.KERNEL32(0012F764,000E2DD0,?,00000000,0000FDE9,?,000E2DD0,8007139F,Invalid operation for this state.,c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00105124
                          Strings
                          • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 001050CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                          • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                          • API String ID: 296830338-59366893
                          • Opcode ID: 6df77f19975070fe18cfb18956bc38933481bfb8021d6340661d5575e34e8c58
                          • Instruction ID: 79712d1f128dea29a7163f8505cb3b4ff48ae1283b64fe2e90d23cd2096df6ef
                          • Opcode Fuzzy Hash: 6df77f19975070fe18cfb18956bc38933481bfb8021d6340661d5575e34e8c58
                          • Instruction Fuzzy Hash: D941AE31E00629ABDB209FA5DD45ABFB7BAEB08710F144039F981F6194D3B48D81DFA0
                          Function 000DB76B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107filestringCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 000DB81A
                          • lstrlenW.KERNEL32(?), ref: 000DB841
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 000DB8A1
                          • FindClose.KERNEL32(00000000), ref: 000DB8AC
                            • Part of subcall function 000C1700: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 000C175F
                            • Part of subcall function 000C1700: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000C1772
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
                          • String ID: *.*$.unverified
                          • API String ID: 457978746-2528915496
                          • Opcode ID: b1acd8ffcd5ab1aaa34a7905a37a0d48d89231dc50d8612e3583e66eb00ee0e5
                          • Instruction ID: 42cee3d2369b934820a0df6423c6175982ca0251860f0438dcb5c30f707d5d36
                          • Opcode Fuzzy Hash: b1acd8ffcd5ab1aaa34a7905a37a0d48d89231dc50d8612e3583e66eb00ee0e5
                          • Instruction Fuzzy Hash: 6E41607090066CEEDF60AB60DC49BEEB7F8AF44315F1041A6E908E11A1EB719EC4DF64
                          Function 0010BDED Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 0010BE42
                          • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 0010BE54
                          Strings
                          • crypt32.dll, xrefs: 0010BE12
                          • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0010BE9F
                          • feclient.dll, xrefs: 0010BE1C
                          • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 0010BE2B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Time$InformationLocalSpecificSystemZone
                          • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
                          • API String ID: 1772835396-1985132828
                          • Opcode ID: e7b3e7d20a5c65a63768de1c70acee0d6be8b559a3fa6c516ac23fb64aef4d82
                          • Instruction ID: 70b5d9b8f762b69ffebbe305a2e2b84b268bf77627a64bf23de11d7fcde160ee
                          • Opcode Fuzzy Hash: e7b3e7d20a5c65a63768de1c70acee0d6be8b559a3fa6c516ac23fb64aef4d82
                          • Instruction Fuzzy Hash: CA210CA2900128BADB60DB9ADC45EBFB3FCEB4C711F00855AF955E2180E7789A81D771
                          Function 000FEF68 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 29897800009849386c5bc991905c0799d7b23d7f7d65ba54f1f63644387e093d
                          • Instruction ID: d29901236bfb76426773ca9c62f441591c8a21cb96c5cd40523f70b66b3ea4e9
                          • Opcode Fuzzy Hash: 29897800009849386c5bc991905c0799d7b23d7f7d65ba54f1f63644387e093d
                          • Instruction Fuzzy Hash: 53D21671E0822D8BDB65CE28DD407EAB7B5EF48304F1441EAE54DE7640EB78AE859F40
                          Function 000C7E8C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Failed to get the user name., xrefs: 000C7EEF
                          • Failed to set variant value., xrefs: 000C7F0B
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C7EE5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastNameUser
                          • String ID: Failed to get the user name.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 2054405381-2382286020
                          • Opcode ID: db8e43ceb55ee746171cc12ede94bc3330067503c64e99ed0f452ba6c31922ef
                          • Instruction ID: 1c68bf69f514608d34d26f18773ad6071e6965e360be06ec2878c19a9c48205c
                          • Opcode Fuzzy Hash: db8e43ceb55ee746171cc12ede94bc3330067503c64e99ed0f452ba6c31922ef
                          • Instruction Fuzzy Hash: 0D01F932A44239A7D7219B55DC46FDFB7E89F04760F000169F848F72C2DBB49D458AD4
                          Function 000C2A4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowCOMMON
                          Download Yara Rule
                          APIs
                          • FormatMessageW.KERNEL32(000C5F55,000C7154,?,00000000,00000000,00000000,?,80070656,?,?,?,000E0312,00000000,000C7154,00000000,80070656), ref: 000C2A7D
                          • GetLastError.KERNEL32(?,?,?,000E0312,00000000,000C7154,00000000,80070656,?,?,000D5D7A,000C7154,?,80070656,00000001,crypt32.dll), ref: 000C2A8A
                          • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,000E0312,00000000,000C7154,00000000,80070656,?,?,000D5D7A,000C7154), ref: 000C2AD1
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp, xrefs: 000C2AAE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFormatFreeLastLocalMessage
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp
                          • API String ID: 1365068426-2270866816
                          • Opcode ID: fda55e3a844c81fbff4926383f2180f4a2f92189d1316cfd3fbf43f2b45c4dc3
                          • Instruction ID: b7bc80745744b2c148610fb96426bdef6a7d82f466c45f5a14e5dc14da51a062
                          • Opcode Fuzzy Hash: fda55e3a844c81fbff4926383f2180f4a2f92189d1316cfd3fbf43f2b45c4dc3
                          • Instruction Fuzzy Hash: 270157B6940129BBDB208BA5CD09FDEBAE8EF04750F014169BD41E6650E6709E40DBE2
                          Function 000E864A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000E85F6,00000000,00000003), ref: 000E8661
                          • GetLastError.KERNEL32(?,000E85F6,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,000E89E5,?), ref: 000E866B
                          Strings
                          • Failed to set service start type., xrefs: 000E8699
                          • c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp, xrefs: 000E868F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ChangeConfigErrorLastService
                          • String ID: Failed to set service start type.$c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp
                          • API String ID: 1456623077-3822959323
                          • Opcode ID: a80c21b92313b176b660e8a9e6719de99e0fb2056a25c8a9e17dee00dc5d6298
                          • Instruction ID: 43c122573e8199bc9c01af986cf57b9f2108ee9f9607e03c6632f814c626d682
                          • Opcode Fuzzy Hash: a80c21b92313b176b660e8a9e6719de99e0fb2056a25c8a9e17dee00dc5d6298
                          • Instruction Fuzzy Hash: E2F0EC3364523577C62116D76C05E8B7E84AF017B0B114315FD6CBA6D19E619D1086E0
                          Function 000FA703 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _strrchr
                          • String ID:
                          • API String ID: 3213747228-0
                          • Opcode ID: 4720a86b298d521b449e3e2434ddad1fc4986069c7bcbd4847972c919164b499
                          • Instruction ID: c06f80400a6225ac4ba56ec6b6389e2abe23853b330d243d6e75cacd11e44f0b
                          • Opcode Fuzzy Hash: 4720a86b298d521b449e3e2434ddad1fc4986069c7bcbd4847972c919164b499
                          • Instruction Fuzzy Hash: 6DB18DB2F042499FDB11CF68C8817FEBBE5EF06340F158166EA08AB641D2749D02D7A2
                          Function 000FC1FF Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 000FC29A
                          • FindNextFileW.KERNEL32(00000000,?), ref: 000FC315
                          • FindClose.KERNEL32(00000000), ref: 000FC337
                          • FindClose.KERNEL32(00000000), ref: 000FC35A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID:
                          • API String ID: 1164774033-0
                          • Opcode ID: c5f9af05f9ab14fcc1b370544d9afd0b062188aaca2351d38d5368bd91e614cb
                          • Instruction ID: bafa33a17d42ab00981e1308dec640a9975f99d95143acc6383989c73981e76d
                          • Opcode Fuzzy Hash: c5f9af05f9ab14fcc1b370544d9afd0b062188aaca2351d38d5368bd91e614cb
                          • Instruction Fuzzy Hash: A941F87190012DAFEB70DFA8CD8ADBEB7B8EB85344F048095E505D7581E7309E80AF64
                          Function 000F84A7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000F859F
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000F85A9
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000F85B6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: c486498c3a2d6d6a4516a2bf31c839e0fdef3131ed966f26096de78b62cab108
                          • Instruction ID: 2c997e09f1e159beb2fea0095ce5dcd6d5d55b4d0743119ba3b88ce1af85bc16
                          • Opcode Fuzzy Hash: c486498c3a2d6d6a4516a2bf31c839e0fdef3131ed966f26096de78b62cab108
                          • Instruction Fuzzy Hash: 1831C07590122CABCB21DF24DC887D9BBF8BF08310F5045EAE50CA6251EB709B858F44
                          Function 001092A6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00109464: lstrlenW.KERNEL32(?), ref: 00109531
                            • Part of subcall function 00109464: lstrlenW.KERNEL32(00000000), ref: 00109549
                            • Part of subcall function 0010BF71: GetLastError.KERNEL32(?,?,?,001092F6,?,00109B48,?,00000000,HEAD,00000000,00000000,00109B48,00000000,?,?,00000000), ref: 0010BF9B
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000000,?,00109B48,?,00000000,HEAD,00000000,00000000,00109B48,00000000,?,?,00000000,00000000), ref: 00109326
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Timelstrlen$ErrorFileLastSystem
                          • String ID: HEAD
                          • API String ID: 451455982-2439387944
                          • Opcode ID: 7f8e0e434ea6290e34a06f7f2641ac8258d6b2f564b780c58ba8c921718376f1
                          • Instruction ID: d621e89014099518f022793da451b235668880e84bfd76451fa7952d02adfbde
                          • Opcode Fuzzy Hash: 7f8e0e434ea6290e34a06f7f2641ac8258d6b2f564b780c58ba8c921718376f1
                          • Instruction Fuzzy Hash: 772136B690021DAFCB02DF94CD918EEBBB9FF48354B118169F841A7291D7709E10DBA0
                          Function 000FEAE0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 804ad4a82924b83d637609db2164ca10fcf3732aff90723a6a0ef87aa0636175
                          • Instruction ID: 907838b2464d049de7d4f9bc24f9812b5a69fbc0df434287d22abc119ef3af5e
                          • Opcode Fuzzy Hash: 804ad4a82924b83d637609db2164ca10fcf3732aff90723a6a0ef87aa0636175
                          • Instruction Fuzzy Hash: 77F13C71E002599FDF14CFA8D880AAEB7F1FF88314F158269E919AB791D730AD05DB90
                          Function 0010801A Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001081A9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00108049,?), ref: 0010821A
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0010806D
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0010807E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AllocateCheckCloseInitializeMembershipToken
                          • String ID:
                          • API String ID: 2114926846-0
                          • Opcode ID: 6c9a698080ee9ec08379ae5864a95f50d48b210286b57afc487df657d0e16be0
                          • Instruction ID: 5cb90f9481e6b6568e48ab139a36d862c51de26f268e5494e6c36b3dbd503173
                          • Opcode Fuzzy Hash: 6c9a698080ee9ec08379ae5864a95f50d48b210286b57afc487df657d0e16be0
                          • Instruction Fuzzy Hash: 85113071A0021AEFDB10DFA5CC85AAFF7F8FF18304F54442EA5D5A6181D7B09A84CB65
                          Function 00103FCA Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00103FC5,?,?,00000008,?,?,00103BCF,00000000), ref: 001041F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: ab14d059ce75619dbb252fb82dc459c7d7fa6371c752e547948aaa3c1e0154d4
                          • Instruction ID: ce428b93ad694313234c4370f90591e4aa55c10b29266edcff1eccd1f4c3ce1b
                          • Opcode Fuzzy Hash: ab14d059ce75619dbb252fb82dc459c7d7fa6371c752e547948aaa3c1e0154d4
                          • Instruction Fuzzy Hash: 4DB127B1210608CFDB18CF28C4CAAA57BA0FF45365F258658EAD9CF2E1C375E991CB40
                          Function 000F74BC Relevance: 1.6, Strings: 1, Instructions: 388COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: bf8ce744e36408e829be6e7adb4c0a101a63de9bec10b985ff597dd13cc05d15
                          • Instruction ID: c7dcebc76b35afe11e666fe7760ead10691dcd0f9dafe6e093dd9b3676417fd3
                          • Opcode Fuzzy Hash: bf8ce744e36408e829be6e7adb4c0a101a63de9bec10b985ff597dd13cc05d15
                          • Instruction Fuzzy Hash: B4E1CE70608A0D8FCB64CF68C480ABEB7F1FF44714B244A59D64EDBA91D770AD42EB12
                          Function 000F712E Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 2598dd9de3bf221164edd0ec8730c39063abcb45fe12df56145f229b4d7f1996
                          • Instruction ID: f5c075b192f3907683b588893fe9e8adbe882c26574cabc4644655d823e5bd41
                          • Opcode Fuzzy Hash: 2598dd9de3bf221164edd0ec8730c39063abcb45fe12df56145f229b4d7f1996
                          • Instruction Fuzzy Hash: 8EC1D13050864E8FDBB4CF68C4906BEBBF1BB45310F14461DEA9A97A91C730AD45EB53
                          Function 000F0A07 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00030A13,000F008E), ref: 000F0A0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 12ffb27a9d2231f4a98e4233c3765bda385aafbb9e440b947a2d467f954bf614
                          • Instruction ID: 13432a102f4ad010af4480b40bf7908f96418d79db86eb5a89ee689feedfd6ac
                          • Opcode Fuzzy Hash: 12ffb27a9d2231f4a98e4233c3765bda385aafbb9e440b947a2d467f954bf614
                          • Instruction Fuzzy Hash:
                          Function 000F24A0 Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction ID: 7362aaf14e17702954cf33adcafc9a635ff78a766e67e57b0d8396c54a311e6e
                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                          • Instruction Fuzzy Hash: F89198722090AB4ADBAD463E847403DFFE15B513A131E079ED9F2CB9C5EE24D964F620
                          Function 000F275B Relevance: .2, Instructions: 244COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                          • Instruction ID: 7c9abc9023f3fbc62d91d2b99a498e025139708c9ae6a2131b161203a6b4d96a
                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                          • Instruction Fuzzy Hash: 5991867320D0EB4AEBA9423A847403DFFE15B523A171A079DD5F2CB9C5EE14C565F620
                          Function 000F21D9 Relevance: .2, Instructions: 240COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction ID: 070dc85cbc7866c00d2f61fada781248aad2deeb6e545b88a736c897b7541c2f
                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                          • Instruction Fuzzy Hash: D391C8722080A74EDBAD867D853403EFFE15B513A130A079DD9F2CB9C5EE14DA54F620
                          Function 000F1F2F Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction ID: 6885a6d82ac5e49eb7688aeef64630bd8ff143cdfa5b4cb58c6108ecdc6950f7
                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                          • Instruction Fuzzy Hash: BB819A332090AB4DDBAD427A847447EFFE15B513A131A07ADD6F2CB9C1EE24D564F620
                          Function 000FCF2C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52233dcc3afeec86bc109230461ab1905b41ea3ccd3531e9e623be9d7a98d6ff
                          • Instruction ID: a9010f2043e00ab4232e94c3c41db726bc1774a49d645a7c01aab57b7a563b93
                          • Opcode Fuzzy Hash: 52233dcc3afeec86bc109230461ab1905b41ea3ccd3531e9e623be9d7a98d6ff
                          • Instruction Fuzzy Hash: E5E08C32A1127CEBCB15DB88CA05D9AF3FDEB48B00B1604A6B605D3501C270DE04D7D0
                          Function 000F9808 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd83b8c1113ac6d90ed0eae679b35f223e4beda79acc2b72d7dc76dcf26524b1
                          • Instruction ID: 6763972d5748c128977df92bff6b79e566b5b70238d839af0315f0948bc69e25
                          • Opcode Fuzzy Hash: cd83b8c1113ac6d90ed0eae679b35f223e4beda79acc2b72d7dc76dcf26524b1
                          • Instruction Fuzzy Hash: 18C08C3480098846DEA98E209272BF433D5A3937C6F80248CCA020BE42CA1EAC87F640
                          Function 000D1C6D Relevance: 86.2, APIs: 1, Strings: 48, Instructions: 482registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 000D2263
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close
                          • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.14.0.8606$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$crypt32.dll
                          • API String ID: 3535843008-1514829716
                          • Opcode ID: cda422df1081c441fad2dd97d7787d47fdb38853654240df5f6062a6abf50090
                          • Instruction ID: c7ee25929eabe117fbda1337252f8d747cf9d136427926b69a14a05c09668693
                          • Opcode Fuzzy Hash: cda422df1081c441fad2dd97d7787d47fdb38853654240df5f6062a6abf50090
                          • Instruction Fuzzy Hash: 5BF1C931A40B26BBDB265650CD02FFDBAA5BF24B11F150272FD1076352C772EDA0A6E0
                          Function 000CEAB3 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 365COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,000C7123,00000000,0010FD50,000C710B,00000000), ref: 000CEBE9
                          Strings
                          • CertificateRootPublicKeyIdentifier, xrefs: 000CED33
                          • Failed to get @Id., xrefs: 000CEF15
                          • DownloadUrl, xrefs: 000CECCF
                          • Failed to get @CertificateRootThumbprint., xrefs: 000CEEBB
                          • Failed to to find container: %ls, xrefs: 000CEE7A
                          • Failed to find catalog., xrefs: 000CEEC2
                          • Container, xrefs: 000CEC41
                          • Failed to get @SourcePath., xrefs: 000CEEE5
                          • Failed to get @Catalog., xrefs: 000CEEC9
                          • Failed to get @Hash., xrefs: 000CEED7
                          • Failed to select payload nodes., xrefs: 000CEAE1
                          • Failed to hex decode @CertificateRootThumbprint., xrefs: 000CEEB4
                          • Failed to get @Container., xrefs: 000CEE81
                          • Failed to get @FilePath., xrefs: 000CEF0E
                          • Catalog, xrefs: 000CEDE2
                          • Failed to allocate memory for payload structs., xrefs: 000CEB3F
                          • embedded, xrefs: 000CEBFB
                          • SourcePath, xrefs: 000CECA6
                          • Failed to get @FileSize., xrefs: 000CEE9F
                          • Hash, xrefs: 000CEDAD
                          • Failed to get @DownloadUrl., xrefs: 000CEEDE
                          • Invalid value for @Packaging: %ls, xrefs: 000CEEF4
                          • download, xrefs: 000CEBDB
                          • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 000CEEAD
                          • Failed to get payload node count., xrefs: 000CEB06
                          • Failed to get next node., xrefs: 000CEF1C
                          • external, xrefs: 000CEC17
                          • Failed to parse @FileSize., xrefs: 000CEE95
                          • Failed to hex decode the Payload/@Hash., xrefs: 000CEED0
                          • CertificateRootThumbprint, xrefs: 000CED70
                          • Failed to get @Packaging., xrefs: 000CEF07
                          • c:\agent\_work\35\s\wix\src\burn\engine\payload.cpp, xrefs: 000CEB35
                          • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 000CEEA6
                          • FilePath, xrefs: 000CEBA1
                          • Payload, xrefs: 000CEACE
                          • LayoutOnly, xrefs: 000CEC83
                          • Failed to get @LayoutOnly., xrefs: 000CEE8B
                          • FileSize, xrefs: 000CECF8
                          • Packaging, xrefs: 000CEBBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateCompareProcessString
                          • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$c:\agent\_work\35\s\wix\src\burn\engine\payload.cpp$download$embedded$external
                          • API String ID: 1171520630-2047659594
                          • Opcode ID: a10678a379c48c57e69e0a2a193eac1134a9200cb91cc664ba185589347a8d5b
                          • Instruction ID: 3baecad4fb80db067b3362dac1ace0561e527559bd5f6b459472f9a3d907261e
                          • Opcode Fuzzy Hash: a10678a379c48c57e69e0a2a193eac1134a9200cb91cc664ba185589347a8d5b
                          • Instruction Fuzzy Hash: F7C1D232D4566AFBCB259B90CC41FEEB6A4AF04B60F10427DF910B71D0D771AE619B90
                          Function 000CA1A0 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(000C710B,?,00000000,80070490,?,?,?,?,?,?,?,?,000EDC07,?,000C710B,?), ref: 000CA1D1
                          • LeaveCriticalSection.KERNEL32(000C710B,?,?,?,?,?,?,?,?,000EDC07,?,000C710B,?,000C710B,000C710B,Chain), ref: 000CA534
                          Strings
                          • Failed to select variable nodes., xrefs: 000CA1EE
                          • Persisted, xrefs: 000CA274
                          • Failed to get @Persisted., xrefs: 000CA511
                          • Initializing version variable '%ls' to value '%ls', xrefs: 000CA37D
                          • Failed to get @Id., xrefs: 000CA51F
                          • Failed to get @Hidden., xrefs: 000CA518
                          • Initializing numeric variable '%ls' to value '%ls', xrefs: 000CA30C
                          • Failed to get @Type., xrefs: 000CA4AE
                          • Initializing string variable '%ls' to value '%ls', xrefs: 000CA344
                          • Invalid value for @Type: %ls, xrefs: 000CA49B
                          • Failed to get variable node count., xrefs: 000CA20B
                          • Variable, xrefs: 000CA1DB
                          • Failed to set value of variable: %ls, xrefs: 000CA4D7
                          • Failed to set variant value., xrefs: 000CA4B5
                          • string, xrefs: 000CA321
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000CA4E9
                          • version, xrefs: 000CA356
                          • Hidden, xrefs: 000CA259
                          • Value, xrefs: 000CA28F
                          • Failed to set variant encryption, xrefs: 000CA4CD
                          • Failed to change variant type., xrefs: 000CA50A
                          • Failed to get @Value., xrefs: 000CA4BC
                          • Failed to get next node., xrefs: 000CA526
                          • Initializing hidden variable '%ls', xrefs: 000CA39B
                          • Attempt to set built-in variable value: %ls, xrefs: 000CA4F8
                          • Failed to insert variable '%ls'., xrefs: 000CA4C6
                          • numeric, xrefs: 000CA2E6
                          • Failed to find variable value '%ls'., xrefs: 000CA502
                          • Type, xrefs: 000CA2CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp$numeric$string$version
                          • API String ID: 3168844106-147775977
                          • Opcode ID: 74904719f9d2ade37b6b4a357dce752c97af31c75388f9081431b03c81e92529
                          • Instruction ID: 2cf2bad091336223abe6e9ddbc9e74542fe43892addf7c468ff0861eb548d3ca
                          • Opcode Fuzzy Hash: 74904719f9d2ade37b6b4a357dce752c97af31c75388f9081431b03c81e92529
                          • Instruction Fuzzy Hash: FDB1E432E0062DBBCF219B94CC06FAEBBB5AF45714F118269F950B61D1C7B09E41DB92
                          Function 000E8789 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 378COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,000DD9E8,00000007,?,?,?), ref: 000E87DD
                            • Part of subcall function 00105C35: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,000C7B69,00000000), ref: 00105C4A
                            • Part of subcall function 00105C35: GetProcAddress.KERNEL32(00000000), ref: 00105C51
                            • Part of subcall function 00105C35: GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105C6C
                          • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000E8BCC
                          • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000E8BE0
                          Strings
                          • Bootstrapper application aborted during MSU progress., xrefs: 000E8B11
                          • Failed to build MSU path., xrefs: 000E88F2
                          • Failed to append log switch to MSU command-line., xrefs: 000E8973
                          • Failed to ensure WU service was enabled to install MSU package., xrefs: 000E89EB
                          • "%ls" "%ls" /quiet /norestart, xrefs: 000E8905
                          • WixBundleExecutePackageCacheFolder, xrefs: 000E88C8, 000E8BF8
                          • D, xrefs: 000E89F8
                          • wusa.exe, xrefs: 000E885D
                          • Failed to allocate WUSA.exe path., xrefs: 000E8870
                          • Failed to append SysNative directory., xrefs: 000E883A
                          • c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp, xrefs: 000E8A4A, 000E8ADF, 000E8B07
                          • Failed to find Windows directory., xrefs: 000E881C
                          • Failed to find System32 directory., xrefs: 000E8852
                          • Failed to get action arguments for MSU package., xrefs: 000E8893
                          • Failed to CreateProcess on path: %ls, xrefs: 000E8A57
                          • Failed to get process exit code., xrefs: 000E8AE9
                          • 2, xrefs: 000E8A70
                          • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 000E8932
                          • /log:, xrefs: 000E895F
                          • Failed to format MSU install command., xrefs: 000E8919
                          • SysNative\, xrefs: 000E8827
                          • Failed to wait for executable to complete: %ls, xrefs: 000E8B5B
                          • Failed to format MSU uninstall command., xrefs: 000E8946
                          • Failed to determine WOW64 status., xrefs: 000E87EF
                          • Failed to get cached path for package: %ls, xrefs: 000E88B9
                          • Failed to append log path to MSU command-line., xrefs: 000E8991
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                          • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp$wusa.exe
                          • API String ID: 1400713077-2162541595
                          • Opcode ID: d621d18b6bb667002c70fc0fe8397456985da46152072fa4d320b7850ecb5388
                          • Instruction ID: f520ad637e9556178ba2245811e156732b7e46abc4bfdfb9c385f800a1463529
                          • Opcode Fuzzy Hash: d621d18b6bb667002c70fc0fe8397456985da46152072fa4d320b7850ecb5388
                          • Instruction Fuzzy Hash: ADD1D470A4035AAFDB619FE6CD85FEE7BF8BF08700F108525F608B2152DBB19A409B51
                          Function 0010A9CD Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 339COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 0010AAE0
                          • SysFreeString.OLEAUT32(00000000), ref: 0010ACA9
                          • SysFreeString.OLEAUT32(00000000), ref: 0010AD46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$FreeHeap$AllocateCompareProcess
                          • String ID: ($@$`<u$author$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp$category$entry$generator$icon$link$logo$subtitle$title$updated
                          • API String ID: 1555028553-1533921217
                          • Opcode ID: 687abde09151f0b7d87275285f3cc6a81e1c3c831d0995cbd52f945935e0a172
                          • Instruction ID: 0224739319d8d66bd84402c8329ac5aa4a4108c98042584ccfd5f74356088907
                          • Opcode Fuzzy Hash: 687abde09151f0b7d87275285f3cc6a81e1c3c831d0995cbd52f945935e0a172
                          • Instruction Fuzzy Hash: ADB1D031944326BBDB119BA4CC81FAEB774AF10720FA04354F561BA6D1DBB0EE50CB92
                          Function 0010A692 Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 297COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,001278A8,000000FF,?,?,?), ref: 0010A759
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 0010A77E
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0010A79E
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 0010A7BA
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0010A7E2
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 0010A7FE
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 0010A837
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 0010A870
                            • Part of subcall function 0010A2DB: SysFreeString.OLEAUT32(00000000), ref: 0010A414
                            • Part of subcall function 0010A2DB: SysFreeString.OLEAUT32(00000000), ref: 0010A453
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A8F4
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A9A4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$Compare$Free
                          • String ID: ($`<u$author$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                          • API String ID: 318886736-234817467
                          • Opcode ID: 7f9b2b67bf4383f47a9da38b5740cdb59569cdc7ca84b225edd1d8940c2f23e0
                          • Instruction ID: de5ffe92eb8bf841df9d6aaa78f44b983a90f360cadc188d79146fbc415d4ffe
                          • Opcode Fuzzy Hash: 7f9b2b67bf4383f47a9da38b5740cdb59569cdc7ca84b225edd1d8940c2f23e0
                          • Instruction Fuzzy Hash: 7FA1ED31A44326FBCB119B94CC81FADB774AF04724FA14361F5A1AA1D0DBB0EE50DB92
                          Function 000EEE67 Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 283synchronizationprocessCOMMON
                          Download Yara Rule
                          APIs
                          • UuidCreate.RPCRT4(?), ref: 000EEEDC
                          • StringFromGUID2.OLE32(?,?,00000027), ref: 000EEF05
                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 000EEFEE
                          • GetLastError.KERNEL32(?,?,?,?), ref: 000EEFF8
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 000EF091
                          • WaitForSingleObject.KERNEL32(0010E500,000000FF,?,?,?,?), ref: 000EF09C
                          • ReleaseMutex.KERNEL32(0010E500,?,?,?,?), ref: 000EF0C6
                          • GetExitCodeProcess.KERNEL32(?,?), ref: 000EF0E7
                          • GetLastError.KERNEL32(?,?,?,?), ref: 000EF0F5
                          • GetLastError.KERNEL32(?,?,?,?), ref: 000EF12D
                            • Part of subcall function 000EED6F: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,000EF06B,?), ref: 000EED8E
                            • Part of subcall function 000EED6F: ReleaseMutex.KERNEL32(?,?,?,000EF06B,?), ref: 000EEDA2
                            • Part of subcall function 000EED6F: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000EEDE7
                            • Part of subcall function 000EED6F: ReleaseMutex.KERNEL32(?), ref: 000EEDFA
                            • Part of subcall function 000EED6F: SetEvent.KERNEL32(?), ref: 000EEE03
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 000EF1D6
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 000EF1EE
                          Strings
                          • Failed to allocate section name., xrefs: 000EEF46
                          • Failed to allocate event name., xrefs: 000EEF68
                          • Failed to create netfx chainer., xrefs: 000EEF87
                          • c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 000EEF1A, 000EF01C, 000EF119, 000EF151
                          • %ls /pipe %ls, xrefs: 000EEFA8
                          • NetFxSection.%ls, xrefs: 000EEF32
                          • Failed to wait for netfx chainer process to complete, xrefs: 000EF15B
                          • Failed to create netfx chainer guid., xrefs: 000EEEE9
                          • NetFxEvent.%ls, xrefs: 000EEF54
                          • Failed to convert netfx chainer guid into string., xrefs: 000EEF24
                          • Failed to process netfx chainer message., xrefs: 000EF071
                          • Failed to get netfx return code., xrefs: 000EF123
                          • Failed to CreateProcess on path: %ls, xrefs: 000EF027
                          • Failed to allocate netfx chainer arguments., xrefs: 000EEFBC
                          • D, xrefs: 000EEFD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
                          • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp
                          • API String ID: 1533322865-1266794842
                          • Opcode ID: 29e52447133eef37e1b70a829f407d6b46a6c5a64845d62d2eb291cd64f6aa77
                          • Instruction ID: 94e2577ad636a8227e28123fbf365bb48af67b5165f6680718d2cca7bc2b4552
                          • Opcode Fuzzy Hash: 29e52447133eef37e1b70a829f407d6b46a6c5a64845d62d2eb291cd64f6aa77
                          • Instruction Fuzzy Hash: 14A1A032E40269AFDB21DBA5DD45BAEBBF8AF04310F104165F908FB292D7759E408F91
                          Function 000D7195 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,75C0B390,?,000C6205,?,0010E500), ref: 000D71B6
                          • GetCurrentProcessId.KERNEL32(?,000C6205,?,0010E500), ref: 000D71C1
                          • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,000C6205,?,0010E500), ref: 000D71F8
                          • ConnectNamedPipe.KERNEL32(?,00000000,?,000C6205,?,0010E500), ref: 000D720D
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D7217
                          • Sleep.KERNEL32(00000064,?,000C6205,?,0010E500), ref: 000D724C
                          • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,000C6205,?,0010E500), ref: 000D726F
                          • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,000C6205,?,0010E500), ref: 000D728A
                          • WriteFile.KERNEL32(?,000C6205,0010E500,00000000,00000000,?,000C6205,?,0010E500), ref: 000D72A5
                          • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,000C6205,?,0010E500), ref: 000D72C0
                          • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,000C6205,?,0010E500), ref: 000D72DB
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D7336
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D736A
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D739E
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D73D2
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D7403
                          • GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D7434
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                          • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                          • API String ID: 2944378912-515631054
                          • Opcode ID: 907f8563ca99dea3fe5eef0c12561f98347e7038123588d2f80131bcecf00779
                          • Instruction ID: 5222dc370c525b119ab1dc480d23c7a47e48da772c721bc970bbf3c28ca30cb6
                          • Opcode Fuzzy Hash: 907f8563ca99dea3fe5eef0c12561f98347e7038123588d2f80131bcecf00779
                          • Instruction Fuzzy Hash: DE61A572D89335ABD72096A58C45BEEBAE86F04710F114526BD48FB3C1F7B49E4086F1
                          Function 000CC111 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311registryCOMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CC155
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CC17D
                          • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 000CC47C
                          Strings
                          • Failed to format value string., xrefs: 000CC18A
                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 000CC21F
                          • Failed to query registry key value., xrefs: 000CC2E1
                          • Failed to change value type., xrefs: 000CC420, 000CC443
                          • Failed to set variable., xrefs: 000CC43E
                          • Failed to get expand environment string., xrefs: 000CC3EA
                          • c:\agent\_work\35\s\wix\src\burn\engine\search.cpp, xrefs: 000CC24D, 000CC282, 000CC2D5, 000CC3DE
                          • Failed to allocate memory registry value., xrefs: 000CC28C
                          • Failed to allocate string buffer., xrefs: 000CC370
                          • Registry key not found. Key = '%ls', xrefs: 000CC1B5
                          • Unsupported registry key value type. Type = '%u', xrefs: 000CC30F
                          • Failed to clear variable., xrefs: 000CC1DB
                          • Failed to open registry key., xrefs: 000CC1F0
                          • Failed to format key string., xrefs: 000CC162
                          • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 000CC454
                          • Failed to query registry key value size., xrefs: 000CC259
                          • Failed to read registry value., xrefs: 000CC405
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open@16$Close
                          • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\35\s\wix\src\burn\engine\search.cpp
                          • API String ID: 2348241696-1358259516
                          • Opcode ID: 9fe4ea4a9e59a843ca8e80496bbf55092a5a3d920ccee4daf0c6dc40ceb472d8
                          • Instruction ID: 31d7ff1796398b5fc0083e61ba9a609bd92c2d0a3d9ab6879f87e62851193085
                          • Opcode Fuzzy Hash: 9fe4ea4a9e59a843ca8e80496bbf55092a5a3d920ccee4daf0c6dc40ceb472d8
                          • Instruction Fuzzy Hash: 6EA1E672D00125BBEF259BE8DD05FEEBAA9AF04B10F10C529F909FA251D7719E408BD0
                          Function 000C7430 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,000CC5C6,00000100,000002C0,000002C0,00000100), ref: 000C7455
                          • lstrlenW.KERNEL32(000002C0,?,000CC5C6,00000100,000002C0,000002C0,00000100), ref: 000C745F
                          • _wcschr.LIBVCRUNTIME ref: 000C7664
                          • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,000CC5C6,00000100,000002C0,000002C0,00000100), ref: 000C7907
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                          • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 1026845265-2108861782
                          • Opcode ID: dbcd6682523b20e0001a651e9cd35b8280d7bbc932d72199433a197f66c584ad
                          • Instruction ID: d0257020cb97023a25c736708f25bcc908eeb35ec30b2d685647cf58c9d32032
                          • Opcode Fuzzy Hash: dbcd6682523b20e0001a651e9cd35b8280d7bbc932d72199433a197f66c584ad
                          • Instruction Fuzzy Hash: 61F1B472D08229ABDB259FA48C45FEF7BA4EB44750F14812DFD08AB241D7759A41CFA0
                          Function 000EE8B6 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 239synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,000EEF81,?,?,?), ref: 000EE8FC
                          • GetLastError.KERNEL32(?,?,000EEF81,?,?,?), ref: 000EE909
                          • ReleaseMutex.KERNEL32(?), ref: 000EEB71
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                          • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                          • API String ID: 3944734951-1707654675
                          • Opcode ID: c9ecd1b417653a4a8ed1d6c57ba1a05594889e43d2004c78a5a481cd67a98d59
                          • Instruction ID: 5abefb7a969b7736712ceaf979c41c19890c4bb93f19776b478f2f592f70a5d8
                          • Opcode Fuzzy Hash: c9ecd1b417653a4a8ed1d6c57ba1a05594889e43d2004c78a5a481cd67a98d59
                          • Instruction Fuzzy Hash: 98811176A417B9BFC3218B66DC09F8A7AE4BF04310F054129FD54BB282D774ED5086E1
                          Function 000D0733 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001078B5: VariantInit.OLEAUT32(?), ref: 001078CB
                            • Part of subcall function 001078B5: SysAllocString.OLEAUT32(?), ref: 001078E7
                            • Part of subcall function 001078B5: VariantClear.OLEAUT32(?), ref: 0010796E
                            • Part of subcall function 001078B5: SysFreeString.OLEAUT32(00000000), ref: 00107979
                          • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0010FD50,?,?,Action,?,?,?,00000000,000C710B), ref: 000D0804
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 000D084E
                          Strings
                          • Failed to get @Action., xrefs: 000D095A
                          • Failed to resize Addon code array in registration, xrefs: 000D092D
                          • version.dll, xrefs: 000D0861
                          • Failed to get @Id., xrefs: 000D0953
                          • Detect, xrefs: 000D07F5
                          • Upgrade, xrefs: 000D0841
                          • cabinet.dll, xrefs: 000D08AB
                          • comres.dll, xrefs: 000D0817
                          • Failed to get RelatedBundle nodes, xrefs: 000D0763
                          • Failed to resize Patch code array in registration, xrefs: 000D0934
                          • Invalid value for @Action: %ls, xrefs: 000D0943
                          • Patch, xrefs: 000D08CE
                          • Failed to get RelatedBundle element count., xrefs: 000D0788
                          • Failed to get next RelatedBundle element., xrefs: 000D0961
                          • Action, xrefs: 000D07C1
                          • Addon, xrefs: 000D088B
                          • Failed to resize Detect code array in registration, xrefs: 000D091F
                          • Failed to resize Upgrade code array in registration, xrefs: 000D0926
                          • RelatedBundle, xrefs: 000D0741
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$CompareVariant$AllocClearFreeInit
                          • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
                          • API String ID: 702752599-259800149
                          • Opcode ID: f58577dcaca69b2b47854ff4dc8722a8ecae5187a75b0b1d2a7f00a8d0d9aa61
                          • Instruction ID: eda16350b85329dadf8c970c8c569f258a1cc3130aec9ab2e8731d242f32e08c
                          • Opcode Fuzzy Hash: f58577dcaca69b2b47854ff4dc8722a8ecae5187a75b0b1d2a7f00a8d0d9aa61
                          • Instruction Fuzzy Hash: E071AF31A05B16FBDB248B50CC91FAEB7B5BF04720F204259E919AB7C1D771AE51CBA0
                          Function 000D63A0 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 184fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,000D68B3,0010E4E8,?,feclient.dll,00000000,?,?), ref: 000D63B7
                          • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,000D68B3,0010E4E8,?,feclient.dll,00000000,?,?), ref: 000D63D8
                          • GetLastError.KERNEL32(?,000D68B3,0010E4E8,?,feclient.dll,00000000,?,?), ref: 000D63DE
                          • ReadFile.KERNEL32(feclient.dll,00000000,0010E518,?,00000000,00000000,0010E519,?,000D68B3,0010E4E8,?,feclient.dll,00000000,?,?), ref: 000D646C
                          • GetLastError.KERNEL32(?,000D68B3,0010E4E8,?,feclient.dll,00000000,?,?), ref: 000D6472
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastRead$CurrentProcess
                          • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp$feclient.dll$msasn1.dll
                          • API String ID: 1233551569-2200336050
                          • Opcode ID: 59e0601d077c25ff2d9838756ae52598c99372ce9b61335cd5732c79e20b2d61
                          • Instruction ID: c37e59f4e4684822861afe9c279c239a69dec8b6f20819cc8a4dbb7fb369a048
                          • Opcode Fuzzy Hash: 59e0601d077c25ff2d9838756ae52598c99372ce9b61335cd5732c79e20b2d61
                          • Instruction Fuzzy Hash: 9351F872984725B7D7219B949C46FEE7AB8AF00B10F11016ABE10BB3C1D775DE8086F1
                          Function 000E42F2 Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 144COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: StringVariant$AllocClearFreeInit
                          • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                          • API String ID: 760788290-1911311241
                          • Opcode ID: 9e81e0312afc24d215d5143e306319b60c7f1e9e8dd53e2361872881b5f8d45c
                          • Instruction ID: b321a7603d297c953bbda05667a84578278516624c7e01b1338ceafc2dfda822
                          • Opcode Fuzzy Hash: 9e81e0312afc24d215d5143e306319b60c7f1e9e8dd53e2361872881b5f8d45c
                          • Instruction Fuzzy Hash: BD41DCB1F84662BED72955B58C06FEE75D96B14730F204321FD10B62C1D7A5AE408691
                          Function 000CAC7C Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON
                          Download Yara Rule
                          APIs
                          • GetStringTypeW.KERNEL32(00000001,5600110E,00000001,?,000CB648,?,00000000,00000000,?,?,000CB630,?,?,00000000,?), ref: 000CACBA
                          Strings
                          • Failed to set symbol value., xrefs: 000CAD6A
                          • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 000CB112
                          • NOT, xrefs: 000CAFE5
                          • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 000CAE6C
                          • AND, xrefs: 000CAFC6
                          • -, xrefs: 000CAE22
                          • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 000CAEE8
                          • c:\agent\_work\35\s\wix\src\burn\engine\condition.cpp, xrefs: 000CAD8E, 000CAE58, 000CAED4, 000CAF38, 000CB076, 000CB0BA, 000CB0FE
                          • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 000CADA2
                          • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 000CAF4C
                          • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 000CB0CE
                          • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 000CB08A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: StringType
                          • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$c:\agent\_work\35\s\wix\src\burn\engine\condition.cpp
                          • API String ID: 4177115715-870228485
                          • Opcode ID: 12f0ee7ba7fa9c27228da2af05d743fce4085e35030f477fbe59ef34496980f0
                          • Instruction ID: e6096aba184e470117463c9d421638433aaee2413c3d84e672a73ad2bfa1da76
                          • Opcode Fuzzy Hash: 12f0ee7ba7fa9c27228da2af05d743fce4085e35030f477fbe59ef34496980f0
                          • Instruction Fuzzy Hash: 21F103B1A00205FBDB298F64C89AFFEBBA4FB05704F54451DFE119A681D3B5DA90CB81
                          Function 000E36AD Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 211COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 000E37B4
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 000E37D2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareHeapString$AllocateProcess
                          • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$c:\agent\_work\35\s\wix\src\burn\engine\exeengine.cpp$error$forceReboot$scheduleReboot$success
                          • API String ID: 2664528157-3131038936
                          • Opcode ID: fbf462c796dea4aeb557010f07de62d43d9cdcc01d1e38f885553872a750419b
                          • Instruction ID: 001902e2a532e8014ecd9c0c37e63016cccd736da44889dd38b2d82599b20016
                          • Opcode Fuzzy Hash: fbf462c796dea4aeb557010f07de62d43d9cdcc01d1e38f885553872a750419b
                          • Instruction Fuzzy Hash: 6361D275A04356BFDB249B96CD49EAEBFA5AF00720F204265F811BB2D0DB709E41CB90
                          Function 000D87FA Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 355synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000CF19E: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000D8C6F,000000B8,00000000,?,00000000,75C0B390), ref: 000CF1AD
                            • Part of subcall function 000CF19E: LeaveCriticalSection.KERNEL32(000000D0,?,000D8C6F,000000B8,00000000,?,00000000,75C0B390), ref: 000CF1D0
                          • ReleaseMutex.KERNEL32(00000000,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 000D8BBE
                          • CloseHandle.KERNEL32(00000000), ref: 000D8BC7
                          • CloseHandle.KERNEL32(?,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 000D8BE7
                            • Part of subcall function 000ED751: SetThreadExecutionState.KERNEL32(80000001), ref: 000ED756
                          Strings
                          • crypt32.dll, xrefs: 000D88FE
                          • Failed while caching, aborting execution., xrefs: 000D8AC5
                          • Engine cannot start apply because it is busy with another action., xrefs: 000D885B
                          • Failed to elevate., xrefs: 000D89C6
                          • Another per-user setup is already executing., xrefs: 000D890C
                          • comres.dll, xrefs: 000D8C0D
                          • Failed to set initial apply variables., xrefs: 000D8936
                          • c:\agent\_work\35\s\wix\src\burn\engine\core.cpp, xrefs: 000D88C2, 000D8A93
                          • Failed to create cache thread., xrefs: 000D8A9D
                          • Failed to register bundle., xrefs: 000D8A23
                          • Failed to cache engine to working directory., xrefs: 000D89A0
                          • Another per-machine setup is already executing., xrefs: 000D8A00
                          • UX aborted apply begin., xrefs: 000D88CC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCriticalHandleSection$EnterExecutionLeaveMutexReleaseStateThread
                          • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$c:\agent\_work\35\s\wix\src\burn\engine\core.cpp$comres.dll$crypt32.dll
                          • API String ID: 303827279-3013395459
                          • Opcode ID: f2891ea7da2ebd352f29dc03def36bcf60d1913ce9c7e56625d108fdee0e3c89
                          • Instruction ID: 15e66c39b94724401d8a4759105ac89f2d3740a7bb7628e7604a89c1a598d99c
                          • Opcode Fuzzy Hash: f2891ea7da2ebd352f29dc03def36bcf60d1913ce9c7e56625d108fdee0e3c89
                          • Instruction Fuzzy Hash: 2DC18AB1900315AEDF559FA4C885FEE7AA8AF04310F04817BFD09AA246EF309940CBB5
                          Function 0010AD78 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 0010ADD8
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 0010ADFD
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 0010AE1D
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0010AE50
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 0010AE6C
                          • SysFreeString.OLEAUT32(00000000), ref: 0010AE97
                          • SysFreeString.OLEAUT32(00000000), ref: 0010AF0E
                          • SysFreeString.OLEAUT32(00000000), ref: 0010AF5A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$Compare$Free
                          • String ID: `<u$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                          • API String ID: 318886736-782967201
                          • Opcode ID: d8f3de55831877cf7c04016949fcbe9b34caf153ab8a86bf4c77d01418af7ac4
                          • Instruction ID: 35c2a25e6efba6341efac49cf952bbcac54229ac3ec4b0067486c0a30ddc856a
                          • Opcode Fuzzy Hash: d8f3de55831877cf7c04016949fcbe9b34caf153ab8a86bf4c77d01418af7ac4
                          • Instruction Fuzzy Hash: 5D61607190421AFBCF15DBA4CC45FAEBBB8AF04320F604665F5A1A71D0D7B1AE40DB91
                          Function 0010B6AB Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 308COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 0010B6D8
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0010B6F3
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0010B796
                          • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0010E518,00000000), ref: 0010B7D5
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 0010B828
                          • CompareStringW.KERNEL32(0000007F,00000000,0010E518,000000FF,true,000000FF), ref: 0010B846
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0010B87E
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0010B9C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: application$c:\agent\_work\35\s\wix\src\libs\dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
                          • API String ID: 1825529933-1759060522
                          • Opcode ID: 6a924f4c00240ba1c126c534ca267ebb770c4f3383cfa16ea7e0186a791b4333
                          • Instruction ID: f03665ab7ccaa2c3fa6d49adb53fc97ed3b3b103bc90641e2fe43de922c0408b
                          • Opcode Fuzzy Hash: 6a924f4c00240ba1c126c534ca267ebb770c4f3383cfa16ea7e0186a791b4333
                          • Instruction Fuzzy Hash: 7BB18171648206EBDB618F54CCC1F9A77E5BF44720F658A19F9A5EB2E5DBB0E840CB00
                          Function 000DFF82 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 145registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000DFE6B: LoadBitmapW.USER32(?,00000001), ref: 000DFEA1
                            • Part of subcall function 000DFE6B: GetLastError.KERNEL32 ref: 000DFEAD
                          • LoadCursorW.USER32(00000000,00007F00), ref: 000DFFE3
                          • RegisterClassW.USER32(?), ref: 000DFFF7
                          • GetLastError.KERNEL32 ref: 000E0002
                          • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 000E0107
                          • DeleteObject.GDI32(00000000), ref: 000E0116
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                          • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$c:\agent\_work\35\s\wix\src\burn\engine\splashscreen.cpp
                          • API String ID: 164797020-2377922091
                          • Opcode ID: 99cbceade6353944475372d6f6ab78d467a9dc949b33d6a52160210abe1a50f0
                          • Instruction ID: 11578efb321545314835afa0252d6ac01bb335ad0c049741eca5b1766c40a712
                          • Opcode Fuzzy Hash: 99cbceade6353944475372d6f6ab78d467a9dc949b33d6a52160210abe1a50f0
                          • Instruction Fuzzy Hash: B541D37290026ABFEB115BE5DD49EEEBBB8FF04700F100525FA41BA150D7B19D808BA1
                          Function 000EB868 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 232threadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForMultipleObjects.KERNEL32(00000001,000ED6D1,00000000,000000FF,00000001,00000000,00000000,000ED6D1,00000001,?), ref: 000EB8CD
                          • GetLastError.KERNEL32 ref: 000EBA3D
                          • GetExitCodeThread.KERNEL32(?,00000001), ref: 000EBA7D
                          • GetLastError.KERNEL32 ref: 000EBA87
                          Strings
                          • Failed to load compatible package on per-machine package., xrefs: 000EB9E3
                          • c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp, xrefs: 000EBA64, 000EBAAE
                          • Invalid execute action., xrefs: 000EBADD
                          • Failed to execute MSP package., xrefs: 000EB952
                          • Failed to execute compatible package action., xrefs: 000EB9FA
                          • Failed to execute MSU package., xrefs: 000EB982
                          • Failed to execute EXE package., xrefs: 000EB904
                          • Failed to execute MSI package., xrefs: 000EB92D
                          • Cache thread exited unexpectedly., xrefs: 000EBACE
                          • Failed to get cache thread exit code., xrefs: 000EBAB8
                          • Failed to execute package provider registration action., xrefs: 000EB99E
                          • Failed to wait for cache check-point., xrefs: 000EBA6E
                          • Failed to execute dependency action., xrefs: 000EB9BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                          • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp
                          • API String ID: 3703294532-3493137022
                          • Opcode ID: 7c6eb1710e61276d8a89fb6f440d542b3afde2fffa599f84d1fe632b1322dc76
                          • Instruction ID: e1698de7c627f936cf7dcd7b16a6d5d99263afb93b8f9bbf3b2e6d50ff022e7a
                          • Opcode Fuzzy Hash: 7c6eb1710e61276d8a89fb6f440d542b3afde2fffa599f84d1fe632b1322dc76
                          • Instruction Fuzzy Hash: 9A716C71A412A9EFDB11DF66C941EAF7BB8EB04710F24416AF904F7241E7719E009BA1
                          Function 000D0EF2 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 182registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001080AA: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 001080F9
                          • RegCloseKey.ADVAPI32(00000000,?,00114178,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 000D1122
                            • Part of subcall function 000C5D42: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,000D0F6F,00114178,Resume,00000005,?,00000000,00000000,00000000), ref: 000C5D57
                          Strings
                          • BundleResumeCommandLine, xrefs: 000D102A, 000D10BD
                          • "%ls" /%ls, xrefs: 000D0FC7
                          • Resume, xrefs: 000D0F64
                          • Failed to delete resume command line value., xrefs: 000D10FE
                          • Failed to write run key value., xrefs: 000D101D
                          • burn.runonce, xrefs: 000D0FBC
                          • Failed to create run key., xrefs: 000D0FFF
                          • Failed to write resume command line value., xrefs: 000D103F
                          • Failed to delete run key value., xrefs: 000D10B0
                          • Failed to write Resume value., xrefs: 000D0F75
                          • Installed, xrefs: 000D0F87
                          • c:\agent\_work\35\s\wix\src\burn\engine\registration.cpp, xrefs: 000D10A6, 000D10F4
                          • Failed to format resume command line for RunOnce., xrefs: 000D0FDB
                          • Failed to write Installed value., xrefs: 000D0F98
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseValueVersion
                          • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$c:\agent\_work\35\s\wix\src\burn\engine\registration.cpp
                          • API String ID: 2348918689-528325973
                          • Opcode ID: 30a3e4f9b7a88a30be8803d3ced2548b4d4984d579db3cd010723e3a2076df3b
                          • Instruction ID: cd4594b3cb9b41d638af2a001f354bcdd1a0c7f40e7d30f3aa9b01cc66b33fb5
                          • Opcode Fuzzy Hash: 30a3e4f9b7a88a30be8803d3ced2548b4d4984d579db3cd010723e3a2076df3b
                          • Instruction Fuzzy Hash: 9351F835E40726FBCB35ABA4CC06FEE7AA4AF04711F114536BD01B6292DBB199D096E0
                          Function 000EE6C8 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32(74DE8FB0,00000000,00000000), ref: 000EE6D4
                            • Part of subcall function 000D6A52: UuidCreate.RPCRT4(?), ref: 000D6A85
                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,000E3EF9,?,?,00000000,?,?,?), ref: 000EE7B2
                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 000EE7BC
                          • GetProcessId.KERNEL32(000E3EF9,?,?,00000000,?,?,?,?), ref: 000EE7F4
                            • Part of subcall function 000D7195: lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,75C0B390,?,000C6205,?,0010E500), ref: 000D71B6
                            • Part of subcall function 000D7195: GetCurrentProcessId.KERNEL32(?,000C6205,?,0010E500), ref: 000D71C1
                            • Part of subcall function 000D7195: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,000C6205,?,0010E500), ref: 000D71F8
                            • Part of subcall function 000D7195: ConnectNamedPipe.KERNEL32(?,00000000,?,000C6205,?,0010E500), ref: 000D720D
                            • Part of subcall function 000D7195: GetLastError.KERNEL32(?,000C6205,?,0010E500), ref: 000D7217
                            • Part of subcall function 000D7195: Sleep.KERNEL32(00000064,?,000C6205,?,0010E500), ref: 000D724C
                            • Part of subcall function 000D7195: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,000C6205,?,0010E500), ref: 000D726F
                            • Part of subcall function 000D7195: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,000C6205,?,0010E500), ref: 000D728A
                            • Part of subcall function 000D7195: WriteFile.KERNEL32(?,000C6205,0010E500,00000000,00000000,?,000C6205,?,0010E500), ref: 000D72A5
                            • Part of subcall function 000D7195: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,000C6205,?,0010E500), ref: 000D72C0
                            • Part of subcall function 00105B97: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,000C6BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00105BA3
                            • Part of subcall function 00105B97: GetLastError.KERNEL32(?,000C6BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00105BB1
                          • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000EE628,?,?,?,?,?,00000000,?,?,?,?), ref: 000EE878
                          • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000EE628,?,?,?,?,?,00000000,?,?,?,?), ref: 000EE887
                          • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,000EE628,?,?,?,?,?,00000000,?,?,?), ref: 000EE89E
                          Strings
                          • Failed to create embedded pipe name and client token., xrefs: 000EE737
                          • c:\agent\_work\35\s\wix\src\burn\engine\embedded.cpp, xrefs: 000EE7DD
                          • Failed to wait for embedded executable: %ls, xrefs: 000EE85B
                          • Failed to process messages from embedded message., xrefs: 000EE83B
                          • Failed to create embedded pipe., xrefs: 000EE75E
                          • Failed to allocate embedded command., xrefs: 000EE78B
                          • burn.embedded, xrefs: 000EE76F
                          • %ls -%ls %ls %ls %u, xrefs: 000EE777
                          • Failed to create embedded process at path: %ls, xrefs: 000EE7EA
                          • Failed to wait for embedded process to connect to pipe., xrefs: 000EE816
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
                          • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$c:\agent\_work\35\s\wix\src\burn\engine\embedded.cpp
                          • API String ID: 875070380-916265915
                          • Opcode ID: 43edd72a8ec7dc71f4adc17b772b61be5d1462bd7d5a941ee12f92b07e31ffa5
                          • Instruction ID: 1d31c2d3d0d31268c1f30ba9c4d7bf418954ebb99f87068973857cbc3dfe7633
                          • Opcode Fuzzy Hash: 43edd72a8ec7dc71f4adc17b772b61be5d1462bd7d5a941ee12f92b07e31ffa5
                          • Instruction Fuzzy Hash: 10519132D0026DBFDF11AB95DD46FDEBBB9AF04710F100122FA40B6291DBB59A508BE1
                          Function 000D09AD Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 172COMMON
                          Download Yara Rule
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 000D0B3B
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • SysFreeString.OLEAUT32(?), ref: 000D0AF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeHeapString$AllocateProcess
                          • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`<u$c:\agent\_work\35\s\wix\src\burn\engine\registration.cpp
                          • API String ID: 336948655-1269882612
                          • Opcode ID: a3724f06b57c7de558211578bfe1db4599b2cf5fe316f5c051462865fc1a4bc5
                          • Instruction ID: 0d2984e160f2d3ac2e7e0f3e42cfd124c41b607d3f0c3bb92eaf59932f9b9502
                          • Opcode Fuzzy Hash: a3724f06b57c7de558211578bfe1db4599b2cf5fe316f5c051462865fc1a4bc5
                          • Instruction Fuzzy Hash: 07518535E06315ABDB15DF64C895FAEB7A4BF00B14F11416AF809AB381D771DD408BA0
                          Function 0010B4F5 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,0010B9DF,00000001,?), ref: 0010B515
                          • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,0010B9DF,00000001,?), ref: 0010B530
                          • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,0010B9DF,00000001,?), ref: 0010B54B
                          • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,0010B9DF,00000001,?), ref: 0010B5B7
                          • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,0010B9DF,00000001,?), ref: 0010B5DB
                          • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,0010B9DF,00000001,?), ref: 0010B5FF
                          • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,0010B9DF,00000001,?), ref: 0010B61F
                          • lstrlenW.KERNEL32(006C0064,?,0010B9DF,00000001,?), ref: 0010B63A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString$lstrlen
                          • String ID: algorithm$c:\agent\_work\35\s\wix\src\libs\dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
                          • API String ID: 1657112622-633757944
                          • Opcode ID: 9a32f993cc8ecda954302f717880b9a7970b11af48ecf536e89055a921407119
                          • Instruction ID: 8795266162c600f8b1520407a1fbd352c9e1c05fd223add91530b76d0180b225
                          • Opcode Fuzzy Hash: 9a32f993cc8ecda954302f717880b9a7970b11af48ecf536e89055a921407119
                          • Instruction Fuzzy Hash: 1251D23164C212BBEB204F059CC2F257661BB15B30F604754F9B5AE2E1C7F1E890C790
                          Function 000CBD3B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 214COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBDB3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open@16
                          • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                          • API String ID: 3613110473-2134270738
                          • Opcode ID: f188f6dacaca0aa8e248d4e9f8ca8ea8e5e1ab085b6116f627f8829b7ef194d2
                          • Instruction ID: f9409cc20274f15b0f0daf75ca7bdf7c75cfd98edb1d0bbf5cf01cb2ff3bfc9a
                          • Opcode Fuzzy Hash: f188f6dacaca0aa8e248d4e9f8ca8ea8e5e1ab085b6116f627f8829b7ef194d2
                          • Instruction Fuzzy Hash: F4619132D40119BBCB259BA88D47FEE7BA9AB18710F10416DFA04BA251D772DE41DB90
                          Function 000D67E8 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 157sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 000D6842
                          • GetLastError.KERNEL32 ref: 000D6850
                          • Sleep.KERNEL32(00000064), ref: 000D6874
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateErrorFileLastSleep
                          • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp$feclient.dll
                          • API String ID: 408151869-362339110
                          • Opcode ID: d2feada8f36c3003b94e786d4054312b889b5dffcdf207583a6e612b6fec509f
                          • Instruction ID: 6d552def3cd2e2134770292924e19041371eae94def9e385eb37c775d5b76752
                          • Opcode Fuzzy Hash: d2feada8f36c3003b94e786d4054312b889b5dffcdf207583a6e612b6fec509f
                          • Instruction Fuzzy Hash: 28411936D44731BBDB2156A08D06F9EBAA8AF00720F110322FD40BB3D1DBB69E4096F5
                          Function 000D1263 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 151registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(00000000,00000000,000D21B0,InstallerVersion,InstallerVersion,00000000,000D21B0,InstallerName,InstallerName,00000000,000D21B0,Date,InstalledDate,00000000,000D21B0,LogonUser), ref: 000D1411
                            • Part of subcall function 000C5D90: RegSetValueExW.ADVAPI32(00020006,00114178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000D1017,00000000,?,00020006), ref: 000C5DC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseValue
                          • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                          • API String ID: 3132538880-2703781546
                          • Opcode ID: e204c960441c2e2518bd5478f14a41139a59155a4fa822676b3ff538fa4c8522
                          • Instruction ID: 4247cf9968d6ac064ab045ff53c2889f060055581c024a6e4a8dc47fbfca8089
                          • Opcode Fuzzy Hash: e204c960441c2e2518bd5478f14a41139a59155a4fa822676b3ff538fa4c8522
                          • Instruction Fuzzy Hash: 5341C632E40B61F7CB265650CD02EEE7A67EF90B21F114166F801BA751CFB29F9196E0
                          Function 000E0368 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134registryCOMMON
                          Download Yara Rule
                          APIs
                          • TlsSetValue.KERNEL32(?,?), ref: 000E03AE
                          • RegisterClassW.USER32(?), ref: 000E03DA
                          • GetLastError.KERNEL32 ref: 000E03E5
                          • CreateWindowExW.USER32(00000080,0011D424,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 000E044C
                          • GetLastError.KERNEL32 ref: 000E0456
                          • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 000E04F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                          • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\35\s\wix\src\burn\engine\uithread.cpp
                          • API String ID: 213125376-115293896
                          • Opcode ID: 7adbd474b7d09088f12c5120f3414f53e6b4f6abdf35eb4413cbd18cf9a42b1b
                          • Instruction ID: 41f0508e214ba2b30fbae6d59dd8295091a4c3dd905c2c442c66938dec14931e
                          • Opcode Fuzzy Hash: 7adbd474b7d09088f12c5120f3414f53e6b4f6abdf35eb4413cbd18cf9a42b1b
                          • Instruction Fuzzy Hash: 9A41C8B2A00255AFDB249BA2DD44ADEBFF8FF04750F104125FA54BB190D7B19D80CBA1
                          Function 000EE1B7 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 271COMMON
                          Download Yara Rule
                          Strings
                          • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000EE42A
                          • c:\agent\_work\35\s\wix\src\burn\engine\pseudobundle.cpp, xrefs: 000EE1EB, 000EE3E4, 000EE41E
                          • Failed to copy filename for passthrough pseudo bundle., xrefs: 000EE401
                          • Failed to allocate memory for pseudo bundle payload hash., xrefs: 000EE3F0
                          • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 000EE1F7
                          • Failed to recreate command-line arguments., xrefs: 000EE486
                          • Failed to copy download source for passthrough pseudo bundle., xrefs: 000EE3D2
                          • Failed to copy install arguments for passthrough bundle package, xrefs: 000EE4A5
                          • Failed to copy local source path for passthrough pseudo bundle., xrefs: 000EE3FA
                          • Failed to copy key for passthrough pseudo bundle., xrefs: 000EE3CB
                          • Failed to copy related arguments for passthrough bundle package, xrefs: 000EE4C5
                          • Failed to copy key for passthrough pseudo bundle payload., xrefs: 000EE408
                          • Failed to copy cache id for passthrough pseudo bundle., xrefs: 000EE448
                          • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 000EE4EF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$c:\agent\_work\35\s\wix\src\burn\engine\pseudobundle.cpp
                          • API String ID: 1357844191-1877840481
                          • Opcode ID: 000f55f494e7cf6fcc92cb8024c73ec910c6ba295f1d63c986523d99624a5bf7
                          • Instruction ID: 543ec00abcfd00db0e51f30094a51771e96d8f46c72afdaf65fa893bc8ea7e60
                          • Opcode Fuzzy Hash: 000f55f494e7cf6fcc92cb8024c73ec910c6ba295f1d63c986523d99624a5bf7
                          • Instruction Fuzzy Hash: DEB19C75600699EFCB21DF69C881F99BBE1BF08700F118169FD14AB3A2C775E961DB80
                          Function 000EF84F Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 203stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 000EF86A
                          Strings
                          • Failed while waiting for BITS download., xrefs: 000EFA1B
                          • Failed to create BITS job callback., xrefs: 000EF97D
                          • c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 000EF880, 000EF973
                          • Falied to start BITS job., xrefs: 000EFA22
                          • Failed to add file to BITS job., xrefs: 000EF937
                          • Failed to initialize BITS job callback., xrefs: 000EF98B
                          • Failed to set callback interface for BITS job., xrefs: 000EF9A2
                          • Failed to copy download URL., xrefs: 000EF8B1
                          • Failed to set credentials for BITS job., xrefs: 000EF918
                          • Failed to complete BITS job., xrefs: 000EFA14
                          • Invalid BITS engine URL: %ls, xrefs: 000EF88C
                          • Failed to download BITS job., xrefs: 000EFA01
                          • Failed to create BITS job., xrefs: 000EF8F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp
                          • API String ID: 1659193697-179144139
                          • Opcode ID: e1e544528d557664b7371dc10cea11a065dcef6f5eeae1ff50109315d80379e4
                          • Instruction ID: f9e3c11977d2f5877cce33b2724b9c9e6d35156ddd3bdc4ceaefadc743575649
                          • Opcode Fuzzy Hash: e1e544528d557664b7371dc10cea11a065dcef6f5eeae1ff50109315d80379e4
                          • Instruction Fuzzy Hash: 0D51D375A402A2EFCB119B95D885EBE7BA4AF08B10B164175FC08BF251E770DE108B92
                          Function 000CD99B Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CD9ED
                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 000CDAFA
                          • GetLastError.KERNEL32(?,?,?,?), ref: 000CDB04
                          • WaitForInputIdle.USER32(?,?), ref: 000CDB58
                          • CloseHandle.KERNEL32(?,?,?), ref: 000CDBA3
                          • CloseHandle.KERNEL32(?,?,?), ref: 000CDBB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
                          • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$c:\agent\_work\35\s\wix\src\burn\engine\approvedexe.cpp
                          • API String ID: 155678114-1934438015
                          • Opcode ID: df6be2850e04797ab30620a3cc81930eb0cdadd4328f16defff161f7cbd7c428
                          • Instruction ID: e0030ddb049e27c00a63e575af3145427f9baefc1ab1010567e5bea94927e1fd
                          • Opcode Fuzzy Hash: df6be2850e04797ab30620a3cc81930eb0cdadd4328f16defff161f7cbd7c428
                          • Instruction Fuzzy Hash: BA516972D0061AFBCF12AB90CD41EEEBBB9BB04310B04453AFA14B6161E7719E609B91
                          Function 000E8496 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,000E89E5,?), ref: 000E84CF
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E89E5,?,?,?), ref: 000E84DC
                          • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,000E89E5,?,?,?), ref: 000E8524
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E89E5,?,?,?), ref: 000E8530
                          • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,000E89E5,?,?,?), ref: 000E856A
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000E89E5,?,?,?), ref: 000E8574
                          • CloseServiceHandle.ADVAPI32(00000000), ref: 000E862B
                          • CloseServiceHandle.ADVAPI32(?), ref: 000E8635
                          Strings
                          • wuauserv, xrefs: 000E851E
                          • Failed to mark WU service to start on demand., xrefs: 000E85FC
                          • Failed to open WU service., xrefs: 000E855E
                          • Failed to query status of WU service., xrefs: 000E85A2
                          • c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp, xrefs: 000E8500, 000E8554, 000E8598
                          • Failed to open service control manager., xrefs: 000E850A
                          • Failed to read configuration for WU service., xrefs: 000E85DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
                          • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp$wuauserv
                          • API String ID: 971853308-2434959848
                          • Opcode ID: ec388d7eccc2084dc681d624ae39ba8a687d65a996b2f67f74b6baa8f724c8dc
                          • Instruction ID: 9e354ce9393609aa565695ed628a4a620be3d1e1ac6697db4f84ccc6d4e22ebd
                          • Opcode Fuzzy Hash: ec388d7eccc2084dc681d624ae39ba8a687d65a996b2f67f74b6baa8f724c8dc
                          • Instruction Fuzzy Hash: F941E772E40775AFD721DBA69C45A9EB6E4AF44750F018525FD09BB281DF70DC008BA4
                          Function 000CCF14 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,000CD807,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CCF1C
                          • GetLastError.KERNEL32(?,000CD807,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000CCF28
                          • _memcmp.LIBVCRUNTIME ref: 000CCFD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorHandleLastModule_memcmp
                          • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$c:\agent\_work\35\s\wix\src\burn\engine\section.cpp
                          • API String ID: 3888311042-2720988923
                          • Opcode ID: 32d116ae6e54fdf98945f5fd7da11bc325e9b0578f2fe9d600cbaf8c79dd7cbd
                          • Instruction ID: 327c39a78ef52a981475f08cf5a8d053747cd5002c40c7965c280715bf38fcbc
                          • Opcode Fuzzy Hash: 32d116ae6e54fdf98945f5fd7da11bc325e9b0578f2fe9d600cbaf8c79dd7cbd
                          • Instruction Fuzzy Hash: 44413C31284620B7D7345B04DC42FDE2692AF42B20F35417EFA495F282DBB9D95387E9
                          Function 000CBF86 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBFAE
                          • RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,?,00000001,00000000,00000000,?,00000000,?,000002C0,000002C0,?,00000000,00000000), ref: 000CC102
                          Strings
                          • Failed to open registry key. Key = '%ls', xrefs: 000CC003
                          • Failed to format value string., xrefs: 000CC03A
                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 000CC09D
                          • Failed to query registry key value., xrefs: 000CC090
                          • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 000CC0DA
                          • Failed to set variable., xrefs: 000CC0C5
                          • Registry key not found. Key = '%ls', xrefs: 000CBFEF
                          • Failed to format key string., xrefs: 000CBFB9
                          • c:\agent\_work\35\s\wix\src\burn\engine\search.cpp, xrefs: 000CC086
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseOpen@16
                          • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$c:\agent\_work\35\s\wix\src\burn\engine\search.cpp
                          • API String ID: 1561904661-3554286767
                          • Opcode ID: 88036e91ce599dc1758f6b7a4db71952e3c8e33fa0d85dca2015866488c4e414
                          • Instruction ID: 26aa421e97baa93dd2efce2f0d5530a2bb2d15f2bae516d8a80c51303d81e594
                          • Opcode Fuzzy Hash: 88036e91ce599dc1758f6b7a4db71952e3c8e33fa0d85dca2015866488c4e414
                          • Instruction Fuzzy Hash: E041A176D40524FBEF226BA4CC06FEFBEA5EB04710F214169FD08B6192E7719E509B90
                          Function 000C863C Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 137libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 000C868C
                          • GetLastError.KERNEL32 ref: 000C8696
                          • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 000C86D9
                          • GetLastError.KERNEL32 ref: 000C86E3
                          • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 000C880C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
                          • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp$ntdll
                          • API String ID: 3057421322-2498168020
                          • Opcode ID: 82de78cef4501eea75d98e40f0821153c0d285589f1e2d50227daf83844b608a
                          • Instruction ID: 6b53facccf15ded200858ef9676653e90cab0a73900e8d27d2280826d760625f
                          • Opcode Fuzzy Hash: 82de78cef4501eea75d98e40f0821153c0d285589f1e2d50227daf83844b608a
                          • Instruction Fuzzy Hash: 7A41A47290423897D7359B65CD49FEE7AF4AF08711F104299E948B6191EBB0CE80CF98
                          Function 000C65BF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 129memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,000C712C,?,?,?,?), ref: 000C65F0
                          • GetLastError.KERNEL32(?,?,?,000C712C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C6601
                          • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000C673E
                          • CloseHandle.KERNEL32(?,?,?,?,000C712C,?,?,?,?,?,?,?,?,?,?,?), ref: 000C6747
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp, xrefs: 000C6625, 000C666E
                          • Failed to set elevated pipe into thread local storage for logging., xrefs: 000C6678
                          • Failed to pump messages from parent process., xrefs: 000C6712
                          • Failed to allocate thread local storage for logging., xrefs: 000C662F
                          • comres.dll, xrefs: 000C66AD
                          • Failed to connect to unelevated process., xrefs: 000C65E6
                          • Failed to create the message window., xrefs: 000C669C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AllocCloseErrorHandleLastMutexRelease
                          • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp$comres.dll
                          • API String ID: 687263955-1996678745
                          • Opcode ID: 4fb0c09bb89303d65847579ccd57f056b14bcaa434f380a99c68ae3e46b62fdd
                          • Instruction ID: 4204448c6e1425a64336108a1803a0e7b3521e0bf249a3182f576e4fbf28744c
                          • Opcode Fuzzy Hash: 4fb0c09bb89303d65847579ccd57f056b14bcaa434f380a99c68ae3e46b62fdd
                          • Instruction Fuzzy Hash: C941B773900625BBC7215BA1CC45FDFB7ACBF05714F00072AFA55A6152DBB2AD509BE0
                          Function 000D580F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 129COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 000D5863
                          • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 000D586D
                          • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 000D58D6
                          • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 000D58DD
                          • CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 000D5967
                          Strings
                          • %u\, xrefs: 000D58F7
                          • crypt32.dll, xrefs: 000D5822
                          • Failed to format session id as a string., xrefs: 000D590B
                          • Failed to get length of temp folder., xrefs: 000D58C7
                          • Failed to get temp folder., xrefs: 000D589B
                          • Failed to copy temp folder., xrefs: 000D5990
                          • c:\agent\_work\35\s\wix\src\burn\engine\logging.cpp, xrefs: 000D5891
                          • Failed to get length of session id string., xrefs: 000D5932
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
                          • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$c:\agent\_work\35\s\wix\src\burn\engine\logging.cpp$crypt32.dll
                          • API String ID: 2407829081-2523824088
                          • Opcode ID: 856a7f9f9381a64cc7000091cfa2ab84e15345d0e94669775d2b538131d32ece
                          • Instruction ID: 3b06fc7fd531450c6af614d47971eb3f3bd24b05fe963e302621cb3ae9a48be4
                          • Opcode Fuzzy Hash: 856a7f9f9381a64cc7000091cfa2ab84e15345d0e94669775d2b538131d32ece
                          • Instruction Fuzzy Hash: AC417572D8173DABDB215B509C49BDEB7B8AB14721F1005A6FC08B7291DA709E808FA0
                          Function 000C9CDF Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 215COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 000C9CFC
                          • LeaveCriticalSection.KERNEL32(?), ref: 000C9F24
                          Strings
                          • Failed to write variable name., xrefs: 000C9F0B
                          • feclient.dll, xrefs: 000C9DD7, 000C9E2D, 000C9E6E
                          • Failed to write variable value as number., xrefs: 000C9ECE
                          • Failed to write variable count., xrefs: 000C9D17
                          • Failed to get numeric., xrefs: 000C9EF6
                          • Failed to write included flag., xrefs: 000C9F12
                          • Unsupported variable type., xrefs: 000C9EE1
                          • Failed to write literal flag., xrefs: 000C9EFD
                          • Failed to write variable value type., xrefs: 000C9F04
                          • Failed to get version., xrefs: 000C9ED5
                          • Failed to get string., xrefs: 000C9EEF
                          • Failed to write variable value as string., xrefs: 000C9EE8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
                          • API String ID: 3168844106-2118673349
                          • Opcode ID: 8ca116863c69c81556c32d4dc8f284046abc4ba9182d19ad700c35352edd5b0f
                          • Instruction ID: 0dbd8697dd7a0ebf147c4a51e4ecfdbc3bdfcf9724ece158aa64127ba11ee8ff
                          • Opcode Fuzzy Hash: 8ca116863c69c81556c32d4dc8f284046abc4ba9182d19ad700c35352edd5b0f
                          • Instruction Fuzzy Hash: E671B072C0462AEFCB26DFA4C848FEE7BA8BB14710F10412EF945A7291C771DD519B90
                          Function 000DB3E0 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000DC472,?,00000000,00000000,00000000,?), ref: 000DB3FB
                          • GetLastError.KERNEL32(?,000DC472,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000DB40B
                            • Part of subcall function 000C37ED: Sleep.KERNEL32(?,00000000,?,000DA21F,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,000C6A86), ref: 000C3804
                          • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 000DB517
                          Strings
                          • Moving, xrefs: 000DB4AD
                          • Copying, xrefs: 000DB4B6, 000DB4C1
                          • Failed to move %ls to %ls, xrefs: 000DB4EF
                          • Failed to open payload in working path: %ls, xrefs: 000DB43A
                          • %ls payload from working path '%ls' to path '%ls', xrefs: 000DB4C2
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DB42F
                          • Failed to verify payload signature: %ls, xrefs: 000DB466
                          • Failed to verify payload hash: %ls, xrefs: 000DB4A3
                          • Failed to copy %ls to %ls, xrefs: 000DB505
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLastSleep
                          • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 1275171361-4244630822
                          • Opcode ID: 607adcf474a05c4c571ab1361b294fe991ed804ff857f536dd52825628d28079
                          • Instruction ID: 2299f9e74508222c3c7601ecf5ec18eb1dc1c92f1040ff0c45eda58f63b07e08
                          • Opcode Fuzzy Hash: 607adcf474a05c4c571ab1361b294fe991ed804ff857f536dd52825628d28079
                          • Instruction Fuzzy Hash: E631D072A81B30FBD63256159C06FAF3D5CEF51FA1F024226BD006B382D7A19D4089F2
                          Function 000C82B9 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000), ref: 000C82F5
                            • Part of subcall function 00105C35: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,000C7B69,00000000), ref: 00105C4A
                            • Part of subcall function 00105C35: GetProcAddress.KERNEL32(00000000), ref: 00105C51
                            • Part of subcall function 00105C35: GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105C6C
                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C8321
                          • GetLastError.KERNEL32 ref: 000C832F
                          • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 000C8367
                          • GetLastError.KERNEL32 ref: 000C8371
                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000C83B4
                          • GetLastError.KERNEL32 ref: 000C83BE
                          Strings
                          • Failed to get 64-bit system folder., xrefs: 000C835D
                          • Failed to backslash terminate system folder., xrefs: 000C8401
                          • Failed to set system folder variant value., xrefs: 000C841D
                          • Failed to get 32-bit system folder., xrefs: 000C839F
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C8353, 000C8395
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                          • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 325818893-910184367
                          • Opcode ID: 0ab9704328b354395c6168dd6390998ca600cabec0ac35d91f5ae691efa16af4
                          • Instruction ID: e2de87f0f40061d6b702c19fb28e44beb7eb6451280c90257d94ec7662fdcaf3
                          • Opcode Fuzzy Hash: 0ab9704328b354395c6168dd6390998ca600cabec0ac35d91f5ae691efa16af4
                          • Instruction Fuzzy Hash: 4131F372E41239A7D73097558C4DFDF6AA8AF10B50F018169BD44BB181EBF49E808BE9
                          Function 000D5C5A Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 225sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000D5764: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,000D5C74,feclient.dll,?,00000000,?,?,?,000C67E0), ref: 000D5805
                          • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,000C67E0,?,?,0010E488,?,00000001,00000000,00000000), ref: 000D5D0B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseSleep
                          • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                          • API String ID: 2834455192-2673269691
                          • Opcode ID: 037423db22299b088d2d5b0816912700133fcd7c8db81749fd9c1dffe5b21f45
                          • Instruction ID: 917e8fb7f51775b0b725aaff4fc9fbc8270bd25d2cdf9cdfdaa1d2cf91873e25
                          • Opcode Fuzzy Hash: 037423db22299b088d2d5b0816912700133fcd7c8db81749fd9c1dffe5b21f45
                          • Instruction Fuzzy Hash: 3961CF71600B16AFDB65AB74CC46FAA7BEAEF10341B144526FC01DB291EB71ED408BB1
                          Function 000C8AC0 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 164COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000000,000C7083,00000000,000C710B,00000000,?,000C9FEE,?,?,?,00000000,00000000), ref: 000C8ACF
                            • Part of subcall function 000C736B: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,000C828E,000C828E,?,000C7301,?,?,00000000), ref: 000C73A7
                            • Part of subcall function 000C736B: GetLastError.KERNEL32(?,000C7301,?,?,00000000,?,?,000C828E,?,000C9C40,?,?,?,?,?), ref: 000C73D6
                          • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 000C8C5F
                          Strings
                          • Attempt to set built-in variable value: %ls, xrefs: 000C8B5D
                          • Setting numeric variable '%ls' to value %lld, xrefs: 000C8C00
                          • Unsetting variable '%ls', xrefs: 000C8BE8, 000C8C1B
                          • Failed to insert variable '%ls'., xrefs: 000C8B14
                          • Setting hidden variable '%ls', xrefs: 000C8B8D
                          • Setting string variable '%ls' to value '%ls', xrefs: 000C8BEF, 000C8BF7
                          • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 000C8C71
                          • Failed to set value of variable: %ls, xrefs: 000C8C47
                          • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 000C8BD4
                          • Failed to find variable value '%ls'., xrefs: 000C8AEA
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C8B52
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                          • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 2716280545-2553128009
                          • Opcode ID: ce047473b268aa5590c218228af0d878aca15a2a1286d5c1896606e117bf1c6a
                          • Instruction ID: 8958f8a11b1d8c3790e9f3ceadfceda78b436eb3b3fd145fe8de47a67be391ff
                          • Opcode Fuzzy Hash: ce047473b268aa5590c218228af0d878aca15a2a1286d5c1896606e117bf1c6a
                          • Instruction Fuzzy Hash: C45119B1A40215EBDB349F15CC8AF6F36A8EB55704F10852DF8445A2C2D7B1DD81CBE9
                          Function 000D494D Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,00200064,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 000D49BB
                          Strings
                          • crypt32.dll, xrefs: 000D4A06, 000D4B00, 000D4BF5, 000D4C6A
                          • Failed to create the string dictionary., xrefs: 000D49F4
                          • Failed to add registration action for self dependent., xrefs: 000D4C88
                          • wininet.dll, xrefs: 000D4C08
                          • Failed to add self-dependent to ignore dependents., xrefs: 000D4A3F
                          • Failed to add dependents ignored from command-line., xrefs: 000D4A70
                          • Failed to allocate registration action., xrefs: 000D4A24
                          • Failed to add registration action for dependent related bundle., xrefs: 000D4CBD
                          • Failed to add dependent bundle provider key to ignore dependents., xrefs: 000D4B25
                          • Failed to check for remaining dependents during planning., xrefs: 000D4B61
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
                          • API String ID: 1825529933-1705955799
                          • Opcode ID: 3177112a81479a35fed99563257897c6cf296588ff9271abc2e0ae7c577c7a5f
                          • Instruction ID: 6181f4940ed663511e5217bc177f4255272c9e35ecec7cd69a18870e2030e627
                          • Opcode Fuzzy Hash: 3177112a81479a35fed99563257897c6cf296588ff9271abc2e0ae7c577c7a5f
                          • Instruction Fuzzy Hash: CBB16871A11716EFCB698F68C881BAEBBA5BF14310F00816AF815AB351D770D990CBA1
                          Function 000E14A0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 186COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000E14DC
                          • UuidCreate.RPCRT4(?), ref: 000E15BF
                          • StringFromGUID2.OLE32(?,?,00000027), ref: 000E15E0
                          • LeaveCriticalSection.KERNEL32(?,?), ref: 000E1689
                          Strings
                          • Failed to create bundle update guid., xrefs: 000E15CC
                          • Failed to convert bundle update guid into string., xrefs: 000E15FF
                          • Failed to recreate command-line for update bundle., xrefs: 000E15A7
                          • update\%ls, xrefs: 000E1538
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E15F5
                          • Failed to default local update source, xrefs: 000E154C
                          • Failed to set update bundle., xrefs: 000E1663
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$CreateEnterFromLeaveStringUuid
                          • String ID: Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp$update\%ls
                          • API String ID: 171215650-676897759
                          • Opcode ID: 48850eb14c2176d188d380be2829a4bdd564c851f5626dfddfa981967661607e
                          • Instruction ID: 7bdfe86f47516a10374f62490e57ab9b4c77c3a1f71927e6e7f2774f198f7c1f
                          • Opcode Fuzzy Hash: 48850eb14c2176d188d380be2829a4bdd564c851f5626dfddfa981967661607e
                          • Instruction Fuzzy Hash: 10519C32A00655EFCF628FA6C845EEEBBF5EF48714F15416AF809BB252D7709840CB90
                          Function 000C67B3 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 143windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(?), ref: 000C6932
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000C6943
                          Strings
                          • Failed to set registration variables., xrefs: 000C68AC
                          • Failed while running , xrefs: 000C68F8
                          • Failed to create the message window., xrefs: 000C6866
                          • WixBundleLayoutDirectory, xrefs: 000C68C3
                          • Failed to query registration., xrefs: 000C687C
                          • Failed to set action variables., xrefs: 000C6892
                          • Failed to set layout directory variable to value provided from command-line., xrefs: 000C68D4
                          • Failed to open log., xrefs: 000C67E6
                          • Failed to check global conditions, xrefs: 000C6817
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: MessagePostWindow
                          • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                          • API String ID: 3618638489-3051724725
                          • Opcode ID: 8f28dc21f3554bca09f943bcf3114164a97c69709c48154adf88818f4cdd672c
                          • Instruction ID: 1425987f37b10d55348b1ac6a4cf1faf654e000fc533ae95bbc2ef4ae68d2676
                          • Opcode Fuzzy Hash: 8f28dc21f3554bca09f943bcf3114164a97c69709c48154adf88818f4cdd672c
                          • Instruction Fuzzy Hash: 3741C271640727BBDB365B60CC41FAEB6ACFF04750F00023EB905A6191DBB2E95997A1
                          Function 000E0BF5 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 000E0C12
                          • LeaveCriticalSection.KERNEL32(?), ref: 000E0D3F
                          Strings
                          • Failed to copy the id., xrefs: 000E0CA4
                          • Failed to copy the arguments., xrefs: 000E0CD1
                          • Engine is active, cannot change engine state., xrefs: 000E0C2D
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E0D20
                          • Failed to post launch approved exe message., xrefs: 000E0D2A
                          • UX requested unknown approved exe with id: %ls, xrefs: 000E0C72
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                          • String ID: Engine is active, cannot change engine state.$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 1367039788-3541173251
                          • Opcode ID: b7995bd3be578857e94cabe56435bae57ba29ecfcaf61c1eb7e0c6914689517d
                          • Instruction ID: 3305c6c7222f2ed76dcdbbc5fd544948546b65c3300077e9c7cb4b6fd27f88cf
                          • Opcode Fuzzy Hash: b7995bd3be578857e94cabe56435bae57ba29ecfcaf61c1eb7e0c6914689517d
                          • Instruction Fuzzy Hash: 92311336A00265AFC7219FA5DC05EAE7BE8EF00720B114525FC05FF252DBB4ED808BA1
                          Function 000DB2CB Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000DC405,?,00000000,00000000,00000000,?), ref: 000DB2E6
                          • GetLastError.KERNEL32(?,000DC405,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000DB2F4
                            • Part of subcall function 000C37ED: Sleep.KERNEL32(?,00000000,?,000DA21F,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,000C6A86), ref: 000C3804
                          • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 000DB3D2
                          Strings
                          • Moving, xrefs: 000DB368
                          • Copying, xrefs: 000DB371, 000DB37C
                          • Failed to move %ls to %ls, xrefs: 000DB3AA
                          • Failed to verify container hash: %ls, xrefs: 000DB355
                          • %ls container from working path '%ls' to path '%ls', xrefs: 000DB37D
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DB318
                          • Failed to open container in working path: %ls, xrefs: 000DB323
                          • Failed to copy %ls to %ls, xrefs: 000DB3C0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLastSleep
                          • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 1275171361-2613593052
                          • Opcode ID: 83e8701302d2d0ef7ccdd67db99802a3d45669c2f7f398f178540c4c3b801438
                          • Instruction ID: 9bb000fb1e0bdf807edbc68a1f47c36343acdc0aa4ebb15531dd83e33260e7f8
                          • Opcode Fuzzy Hash: 83e8701302d2d0ef7ccdd67db99802a3d45669c2f7f398f178540c4c3b801438
                          • Instruction Fuzzy Hash: 4B212672A81734BBD72216158C46FAF396DDF11B61F124126FD007A3C1E7E1AE41A6F2
                          Function 000C8C89 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 226COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 000C8CB6
                          • LeaveCriticalSection.KERNEL32(?), ref: 000C8EC2
                          Strings
                          • Failed to read variable value as string., xrefs: 000C8E8F
                          • Failed to read variable value as number., xrefs: 000C8E7C
                          • Failed to set variable., xrefs: 000C8E96
                          • Failed to read variable included flag., xrefs: 000C8EB2
                          • Failed to read variable name., xrefs: 000C8EAB
                          • Unsupported variable type., xrefs: 000C8E88
                          • Failed to read variable value type., xrefs: 000C8EA4
                          • Failed to read variable count., xrefs: 000C8CD6
                          • Failed to set variable value., xrefs: 000C8E75
                          • Failed to read variable literal flag., xrefs: 000C8E9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
                          • API String ID: 3168844106-528957463
                          • Opcode ID: 042159906c5edf487428bdb53a3a1f00ffd8586e520a0a27b1813a07c07a4c92
                          • Instruction ID: 137b52fc8856a98c38f7db523a433dbdd442fed39c308602008d2b01cf2758cc
                          • Opcode Fuzzy Hash: 042159906c5edf487428bdb53a3a1f00ffd8586e520a0a27b1813a07c07a4c92
                          • Instruction Fuzzy Hash: FC717F72C0121AABDF22DFA5CC45FEF7BB9EB15710F108129FA00B6191DB719E509BA4
                          Function 000C3BBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 000C3C38
                          • GetLastError.KERNEL32 ref: 000C3C4E
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 000C3C9E
                          • GetLastError.KERNEL32 ref: 000C3CA8
                          • SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 000C3CFC
                          • GetLastError.KERNEL32 ref: 000C3D07
                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 000C3DF6
                          • CloseHandle.KERNEL32(?), ref: 000C3E69
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 3286166115-3288686069
                          • Opcode ID: a70b7f96c9ca1e36a4df912a2c5c0dbd0e1f634e7e4726f7f79a5bbf6732489d
                          • Instruction ID: f9abf9f4b92ca84a57838b7d59c3c15e69086e0ee5cb51254bd32e1a9c5c2efb
                          • Opcode Fuzzy Hash: a70b7f96c9ca1e36a4df912a2c5c0dbd0e1f634e7e4726f7f79a5bbf6732489d
                          • Instruction Fuzzy Hash: F081D432A60625ABDB318F599C85FAF76E8AB40720F11C62DFD45FB2C0D674DE008791
                          Function 000C4AE7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 209COMMON
                          Download Yara Rule
                          APIs
                          • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 000C4B32
                          • GetLastError.KERNEL32 ref: 000C4B38
                          • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 000C4B92
                          • GetLastError.KERNEL32 ref: 000C4B98
                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C4C4C
                          • GetLastError.KERNEL32 ref: 000C4C56
                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C4CAC
                          • GetLastError.KERNEL32 ref: 000C4CB6
                          Strings
                          • @, xrefs: 000C4B0C
                          • c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 000C4B5C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                          • String ID: @$c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp
                          • API String ID: 1547313835-762365879
                          • Opcode ID: a379818f5320dfeef44f91f4d88b86918b92e50bb996674cb0a5d8bb5a2660a2
                          • Instruction ID: 29c046075bdde93d3db7bc2301cec9d168b58c0ec44b221f79a61f6a733ef1a3
                          • Opcode Fuzzy Hash: a379818f5320dfeef44f91f4d88b86918b92e50bb996674cb0a5d8bb5a2660a2
                          • Instruction Fuzzy Hash: 9B61D533D01229ABDB31ABA48894FDEBAB4BF00760F114569EE51BB251E3B5DE4097D0
                          Function 0010A2DB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,0010A84D,?,?), ref: 0010A331
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A39C
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A414
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A453
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$Free$Compare
                          • String ID: `<u$label$scheme$term
                          • API String ID: 1324494773-4028212031
                          • Opcode ID: f7ceed5ff8d81b180f244d42c3cf57382a6bb5e8cd25991a82c9f5f7a04e6898
                          • Instruction ID: d82c89584f19aec2cc3237ca90eff33fab150c5ebfe2daf19f775b2b1c29c8f5
                          • Opcode Fuzzy Hash: f7ceed5ff8d81b180f244d42c3cf57382a6bb5e8cd25991a82c9f5f7a04e6898
                          • Instruction Fuzzy Hash: 81515A35901219FBCB15CBA4C848FAEBBB8BF04711F6446A4F551EA2E0DBB0AE40DB51
                          Function 000D6A52 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • UuidCreate.RPCRT4(?), ref: 000D6A85
                          • StringFromGUID2.OLE32(?,?,00000027), ref: 000D6AB4
                          • UuidCreate.RPCRT4(?), ref: 000D6AFF
                          • StringFromGUID2.OLE32(?,?,00000027), ref: 000D6B2B
                          Strings
                          • Failed to allocate pipe name., xrefs: 000D6AF4
                          • Failed to create pipe guid., xrefs: 000D6A92
                          • BurnPipe.%s, xrefs: 000D6AE0
                          • Failed to allocate pipe secret., xrefs: 000D6B54
                          • c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp, xrefs: 000D6AC5, 000D6B12
                          • Failed to convert pipe guid into string., xrefs: 000D6AD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateFromStringUuid
                          • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp
                          • API String ID: 4041566446-3103626899
                          • Opcode ID: cae6cc1b6e50f5ca83405c23ea15bba56fa34e8185544c5346d3d8125f8c76b4
                          • Instruction ID: 9e315dd5cd5a575ddf7b68e650292e4a0e29d4b03acbd61404e694becdc10f3b
                          • Opcode Fuzzy Hash: cae6cc1b6e50f5ca83405c23ea15bba56fa34e8185544c5346d3d8125f8c76b4
                          • Instruction Fuzzy Hash: 95417E72904318ABDB20DBE4C945EDEBBF8AB44720F20812BE905FB381D7759A45CF61
                          Function 000C7CE8 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 106timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 000C7D13
                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 000C7D27
                          • GetLastError.KERNEL32 ref: 000C7D39
                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 000C7D8D
                          • GetLastError.KERNEL32 ref: 000C7D97
                          Strings
                          • Failed to get the Date., xrefs: 000C7DBC
                          • Failed to get the required buffer length for the Date., xrefs: 000C7D5E
                          • Failed to allocate the buffer for the Date., xrefs: 000C7D75
                          • Failed to set variant value., xrefs: 000C7DD5
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C7D54, 000C7DB2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: DateErrorFormatLast$SystemTime
                          • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 2700948981-937474152
                          • Opcode ID: 91417afb3489073c9903bdcd391f41b2391c73cfe5aa51cc2f4ef14ca42a6bfb
                          • Instruction ID: aebec7ed0a0bb742653cf5a672ce78f19789f087628420fc413a65142c735963
                          • Opcode Fuzzy Hash: 91417afb3489073c9903bdcd391f41b2391c73cfe5aa51cc2f4ef14ca42a6bfb
                          • Instruction Fuzzy Hash: 1231F732E4462A6BD7219BA4CC42FFFBAB8BF44710F110129FA06F7181D6B09D418AE1
                          Function 000E062A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,000C7154,?,?), ref: 000E064A
                          • GetLastError.KERNEL32(?,000C7154,?,?), ref: 000E0657
                          • CreateThread.KERNEL32(00000000,00000000,000E0368,?,00000000,00000000), ref: 000E06B0
                          • GetLastError.KERNEL32(?,000C7154,?,?), ref: 000E06BD
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,000C7154,?,?), ref: 000E06F8
                          • CloseHandle.KERNEL32(00000000,?,000C7154,?,?), ref: 000E0717
                          • CloseHandle.KERNEL32(?,?,000C7154,?,?), ref: 000E0724
                          Strings
                          • Failed to create the UI thread., xrefs: 000E06E8
                          • c:\agent\_work\35\s\wix\src\burn\engine\uithread.cpp, xrefs: 000E0678, 000E06DE
                          • Failed to create initialization event., xrefs: 000E0682
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                          • String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\35\s\wix\src\burn\engine\uithread.cpp
                          • API String ID: 2351989216-2274456743
                          • Opcode ID: 97563cc2f20d5126aeea46017bd1d2d907627a6bab2fb21ad6180da1f83e1543
                          • Instruction ID: 3d800d01bac22cff831e40dc6990327fe3d4d88db2406a9f8ebc2f5e26aff65c
                          • Opcode Fuzzy Hash: 97563cc2f20d5126aeea46017bd1d2d907627a6bab2fb21ad6180da1f83e1543
                          • Instruction Fuzzy Hash: 7231C776E00229BFD7109F9A9D85ADEBBECFF44750F114125F944F7241E7B09E408AA1
                          Function 000E01FD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,000C7154,?,?), ref: 000E021E
                          • GetLastError.KERNEL32(?,?,000C7154,?,?), ref: 000E022B
                          • CreateThread.KERNEL32(00000000,00000000,000DFF82,00000000,00000000,00000000), ref: 000E028A
                          • GetLastError.KERNEL32(?,?,000C7154,?,?), ref: 000E0297
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,000C7154,?,?), ref: 000E02D2
                          • CloseHandle.KERNEL32(?,?,?,000C7154,?,?), ref: 000E02E6
                          • CloseHandle.KERNEL32(?,?,?,000C7154,?,?), ref: 000E02F3
                          Strings
                          • Failed to create UI thread., xrefs: 000E02C2
                          • c:\agent\_work\35\s\wix\src\burn\engine\splashscreen.cpp, xrefs: 000E024C, 000E02B8
                          • Failed to create modal event., xrefs: 000E0256
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                          • String ID: Failed to create UI thread.$Failed to create modal event.$c:\agent\_work\35\s\wix\src\burn\engine\splashscreen.cpp
                          • API String ID: 2351989216-3030703616
                          • Opcode ID: 3f7204ea114f9672b971a7177e4fb8e64f62e3772790b96ce6a735ae1c58295a
                          • Instruction ID: a2134501c789e5447a5d2dae9b313ed2bacc632683b7cb46e4281801096e3f7e
                          • Opcode Fuzzy Hash: 3f7204ea114f9672b971a7177e4fb8e64f62e3772790b96ce6a735ae1c58295a
                          • Instruction Fuzzy Hash: D9317576D00225BFD7119B9ADC09ADFBBF8AF45710F10452AFE51F7240E7B49A408A91
                          Function 000E2FE2 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,74DF2F60,?,?), ref: 000E3006
                          • GetLastError.KERNEL32 ref: 000E3019
                          • GetExitCodeThread.KERNEL32(0010E488,00000000), ref: 000E305B
                          • GetLastError.KERNEL32 ref: 000E3069
                          • ResetEvent.KERNEL32(0010E460), ref: 000E30A4
                          • GetLastError.KERNEL32 ref: 000E30AE
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E3040, 000E3090, 000E30D5
                          • Failed to get extraction thread exit code., xrefs: 000E309A
                          • Failed to wait for operation complete event., xrefs: 000E304A
                          • Failed to reset operation complete event., xrefs: 000E30DF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                          • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 2979751695-1548168221
                          • Opcode ID: 46701978ed7ef664c1937e0db984f98891d5f741a4011a013349e271a2b2bda8
                          • Instruction ID: ff01eba6e1995e2d7e7f76cd0ecb267beaad946da393b80dbb16ab596e749e9f
                          • Opcode Fuzzy Hash: 46701978ed7ef664c1937e0db984f98891d5f741a4011a013349e271a2b2bda8
                          • Instruction Fuzzy Hash: AD31D270740356FFE7209F629D1ABAEBAE8AB00710F104569F945EB1A0E775DB409B21
                          Function 000E30FC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(0010E478,?,00000000,?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000,?), ref: 000E3119
                          • GetLastError.KERNEL32(?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000,?,000C714F,FFF9E89D,000C714F), ref: 000E3123
                          • WaitForSingleObject.KERNEL32(0010E488,000000FF,?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000,?,000C714F), ref: 000E315D
                          • GetLastError.KERNEL32(?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000,?,000C714F,FFF9E89D,000C714F), ref: 000E3167
                          • CloseHandle.KERNEL32(00000000,000C714F,?,00000000,?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000), ref: 000E31B2
                          • CloseHandle.KERNEL32(00000000,000C714F,?,00000000,?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000), ref: 000E31C1
                          • CloseHandle.KERNEL32(00000000,000C714F,?,00000000,?,000CDED5,?,000C7083,00000000,?,000D948E,?,000C7333,000C713F,000C713F,00000000), ref: 000E31D0
                          Strings
                          • Failed to wait for thread to terminate., xrefs: 000E3195
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E3147, 000E318B
                          • Failed to set begin operation event., xrefs: 000E3151
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                          • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 1206859064-1628568295
                          • Opcode ID: 34ad4b258a68fa6d6442886de03057567647bc80264b02fa0d11013566f5d8bd
                          • Instruction ID: b51977de370fc6f6f7d1d1104fb2d78fc1f342f60a13f68c5cec59b3d352cd53
                          • Opcode Fuzzy Hash: 34ad4b258a68fa6d6442886de03057567647bc80264b02fa0d11013566f5d8bd
                          • Instruction Fuzzy Hash: 8B21F132640A62BFD3215B63DC0DB95BEE4BF04722F010228E84877DA0D7B5EDA0CAD5
                          Function 00105C35 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 73libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,000C7B69,00000000), ref: 00105C4A
                          • GetProcAddress.KERNEL32(00000000), ref: 00105C51
                          • GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105C6C
                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,000C7B69,00000000), ref: 00105CAE
                          • GetProcAddress.KERNEL32(00000000), ref: 00105CB5
                          • GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105CCC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorHandleLastModuleProc
                          • String ID: IsWow64Process$IsWow64Process2$c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp$kernel32
                          • API String ID: 4275029093-2467590255
                          • Opcode ID: bc26e5a40ba2194d14f7e7c1dd239edce5e76f9b8bbef1e273bb66ba37b2c325
                          • Instruction ID: 0c622eb2b476169c8fc911da982c5f461a5290571db850792d9f4d719954b512
                          • Opcode Fuzzy Hash: bc26e5a40ba2194d14f7e7c1dd239edce5e76f9b8bbef1e273bb66ba37b2c325
                          • Instruction Fuzzy Hash: 7E117576941B31ABE7209B919E09A9B7EADEF04B50B014518BDC1E71C0E7F0DD409EE1
                          Function 000D5EAF Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00105630: EnterCriticalSection.KERNEL32(0012F764,00000000,?,?,?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?), ref: 00105640
                            • Part of subcall function 00105630: LeaveCriticalSection.KERNEL32(0012F764,?,?,0012F75C,?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?), ref: 00105787
                          • OpenEventLogW.ADVAPI32(00000000,Application), ref: 000D5ED5
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000D5EE1
                          • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00116E8C,00000000), ref: 000D5F2E
                          • CloseEventLog.ADVAPI32(00000000), ref: 000D5F35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                          • String ID: Application$Failed to open Application event log$Setup$_Failed$c:\agent\_work\35\s\wix\src\burn\engine\logging.cpp$txt
                          • API String ID: 1844635321-3348110278
                          • Opcode ID: 7bece3c052a96e1f62ee7a2159a8b702d4f6aa49be6640d8d797aa17aa166e7a
                          • Instruction ID: 66c669e32d2c418b7a3fc5bd4122844fae22212e831e97b174cfee473e905e6e
                          • Opcode Fuzzy Hash: 7bece3c052a96e1f62ee7a2159a8b702d4f6aa49be6640d8d797aa17aa166e7a
                          • Instruction Fuzzy Hash: 12F06D72695B7176E23622266C09EAF1D6C9B83F617010539FD50F96829B95888181B1
                          Function 000DB01B Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 000DB0CE
                          • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 000DB0F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast
                          • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 1452528299-2248205024
                          • Opcode ID: 90f945e84a5fd6f060a64002e68d1d8ad64c09d8dae08a3a986d58ea8b6d41a2
                          • Instruction ID: 6a7afef8a5edd416a6e2f1f4af12195fee2fce2a6c933e38c604918872fb9ad5
                          • Opcode Fuzzy Hash: 90f945e84a5fd6f060a64002e68d1d8ad64c09d8dae08a3a986d58ea8b6d41a2
                          • Instruction Fuzzy Hash: 26817276D00329EBDB21DB94CC41BEEBBF4AB08750F124126E914BB391E7759D418BB0
                          Function 000E0124 Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EB), ref: 000E012F
                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 000E016D
                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 000E017A
                          • SetWindowLongW.USER32(?,000000EB,?), ref: 000E0189
                          • DefWindowProcW.USER32(?,?,?,?), ref: 000E0197
                          • CreateCompatibleDC.GDI32(?), ref: 000E01A3
                          • SelectObject.GDI32(00000000,00000000), ref: 000E01B4
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 000E01D6
                          • SelectObject.GDI32(00000000,00000000), ref: 000E01DE
                          • DeleteDC.GDI32(00000000), ref: 000E01E1
                          • PostQuitMessage.USER32(00000000), ref: 000E01EF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                          • String ID:
                          • API String ID: 409979828-0
                          • Opcode ID: 267de43ad1f972332c33316b7d8dca52a9e9ff9692b43415eda81e0a4c56dca9
                          • Instruction ID: d9788523bec59ca34243f6830f32c43a9a1b43005381b735374518e3d8e7bb53
                          • Opcode Fuzzy Hash: 267de43ad1f972332c33316b7d8dca52a9e9ff9692b43415eda81e0a4c56dca9
                          • Instruction Fuzzy Hash: 5121AF32200245BFDB255F6ADC1CD7B7FA9FF49360B054958FA96AB1B0C6F18890DB60
                          Function 000DBD5A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226COMMON
                          Download Yara Rule
                          Strings
                          • WixBundleLastUsedSource, xrefs: 000DBDC3
                          • WixBundleOriginalSource, xrefs: 000DBDDE
                          • Failed to combine last source with source., xrefs: 000DBE3C
                          • Failed to combine layout source with source., xrefs: 000DBED1
                          • Failed to copy source path., xrefs: 000DBF4B
                          • Failed to get current process directory., xrefs: 000DBE1D
                          • Failed to get bundle layout directory property., xrefs: 000DBEB2
                          • WixBundleLayoutDirectory, xrefs: 000DBE97
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirstlstrlen
                          • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                          • API String ID: 2767606509-3003062821
                          • Opcode ID: 70c64f82eb5924ba74677f415f3cad5a99b238336375660e5c2552c36714d56e
                          • Instruction ID: 3d3add30db30784a280adcd3f5c9d5580c93d88478ec3d29b58618c931a4e9af
                          • Opcode Fuzzy Hash: 70c64f82eb5924ba74677f415f3cad5a99b238336375660e5c2552c36714d56e
                          • Instruction Fuzzy Hash: 59813771E04229EBCF25DFA8D885AEEBBF5AF08710F16012AF911B7351D7719D418BA0
                          Function 000C4832 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 202sleepfiletimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 000C48D2
                          • GetLastError.KERNEL32 ref: 000C48DC
                          • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 000C497C
                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 000C4A09
                          • GetLastError.KERNEL32 ref: 000C4A16
                          • Sleep.KERNEL32(00000064), ref: 000C4A2A
                          • CloseHandle.KERNEL32(?), ref: 000C4A92
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 000C4900
                          • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 000C49D9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                          • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp
                          • API String ID: 3480017824-29017464
                          • Opcode ID: 64bc25885d50e29b73a37e7c4b13ab9d7e8150ac62e17fb12d2b6702ec369c13
                          • Instruction ID: 311bdca4af78d2462ffeeed9f1f7ab447a9abf2e1c100126e8a36cb40265837c
                          • Opcode Fuzzy Hash: 64bc25885d50e29b73a37e7c4b13ab9d7e8150ac62e17fb12d2b6702ec369c13
                          • Instruction Fuzzy Hash: 3071A132D41239ABDB709BA49C88FEEB7F8BB08710F010699F948B7191D7749E808F55
                          Function 000CE8BF Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,000C7083,00000000,000C714F,000C710B,WixBundleUILevel,840F01E8,?,00000001), ref: 000CE916
                          Strings
                          • Failed to concat file paths., xrefs: 000CE9F6
                          • Failed to get directory portion of local file path, xrefs: 000CE9EF
                          • Failed to extract file., xrefs: 000CE9E1
                          • c:\agent\_work\35\s\wix\src\burn\engine\payload.cpp, xrefs: 000CEA17
                          • Payload was not found in container: %ls, xrefs: 000CEA23
                          • Failed to ensure directory exists, xrefs: 000CE9E8
                          • Failed to find embedded payload: %ls, xrefs: 000CE942
                          • Failed to get next stream., xrefs: 000CE9FD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$c:\agent\_work\35\s\wix\src\burn\engine\payload.cpp
                          • API String ID: 1825529933-801435957
                          • Opcode ID: 81eb49707384133e0613f162f8827b2d82c4f572d9c41f1cedd69f4e4f3e7531
                          • Instruction ID: e79e2c0241a04e71451f1adffab4c05a94a703fb44481e5fe0f44a8154d576f5
                          • Opcode Fuzzy Hash: 81eb49707384133e0613f162f8827b2d82c4f572d9c41f1cedd69f4e4f3e7531
                          • Instruction Fuzzy Hash: 33417D319002A5EFCF65DF44C885FAEBBA5FF40710B14816EF911AB296D770AE80DB91
                          Function 000C6468 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 000C648D
                          • GetCurrentThreadId.KERNEL32 ref: 000C6493
                          • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000C6521
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp, xrefs: 000C656D
                          • Failed to create engine for UX., xrefs: 000C64AD
                          • wininet.dll, xrefs: 000C64C0
                          • Unexpected return value from message pump., xrefs: 000C6577
                          • Failed to load UX., xrefs: 000C64D6
                          • Failed to start bootstrapper application., xrefs: 000C64EF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Message$CurrentPeekThread
                          • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\35\s\wix\src\burn\engine\engine.cpp$wininet.dll
                          • API String ID: 673430819-1926007870
                          • Opcode ID: 381b8428ec5a5e3d920787b842deedfd35273ed531002cecf5d1bdf97307c054
                          • Instruction ID: dd2d859aae2fa5740fe10df8a423a7ba8f6780f1176954d59cab63a4f7ab3eb6
                          • Opcode Fuzzy Hash: 381b8428ec5a5e3d920787b842deedfd35273ed531002cecf5d1bdf97307c054
                          • Instruction Fuzzy Hash: C941A271600A15BBEB249BA4CC85FFE77ACAF08314F20452DF905EB281DB71ED458BA1
                          Function 000EB70D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,000ECA92,?,00000001,00000000), ref: 000EB798
                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000ECA92,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000EB7A2
                          • CopyFileExW.KERNEL32(00000000,00000000,000EB5E6,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000EB7F0
                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000ECA92,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000EB81F
                          Strings
                          • copy, xrefs: 000EB766
                          • Failed to clear readonly bit on payload destination path: %ls, xrefs: 000EB7D1
                          • Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 000EB851
                          • c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp, xrefs: 000EB7C6, 000EB80A, 000EB843
                          • BA aborted copy of payload from: '%ls' to: %ls., xrefs: 000EB818
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLast$AttributesCopy
                          • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp$copy
                          • API String ID: 1969131206-3934814261
                          • Opcode ID: 9ebd32fa7a3af96e67a809a4f8079cc799f33010fb9e7d094e2e02635b9b5c47
                          • Instruction ID: cfba5a94fe19aa6b7d6631509f75bec499e2d87ec9554f9076d74c337dc6c5ac
                          • Opcode Fuzzy Hash: 9ebd32fa7a3af96e67a809a4f8079cc799f33010fb9e7d094e2e02635b9b5c47
                          • Instruction Fuzzy Hash: 6E312536B45161BBDB204BA79D46EAF77ADAF81B50B148118FD44FF642D770DD00C6A0
                          Function 000DAADF Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 000DAC2A
                          Strings
                          • Failed to allocate access for Administrators group to path: %ls, xrefs: 000DAB32
                          • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 000DAB53
                          • Failed to secure cache path: %ls, xrefs: 000DAC0D
                          • Failed to allocate access for Everyone group to path: %ls, xrefs: 000DAB74
                          • Failed to create ACL to secure cache path: %ls, xrefs: 000DABDE
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DABD3
                          • Failed to allocate access for Users group to path: %ls, xrefs: 000DAB95
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeLocal
                          • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 2826327444-3293392020
                          • Opcode ID: 0e5066f4d6a255e6a7248ba7d0088d1b2556d2778b92d0296d81acf332145e7a
                          • Instruction ID: 295101d83df159f8c3cdcf9a46e1d0275190d0947230a9615f02a4183df9c70c
                          • Opcode Fuzzy Hash: 0e5066f4d6a255e6a7248ba7d0088d1b2556d2778b92d0296d81acf332145e7a
                          • Instruction Fuzzy Hash: 26311D32F4136977EB3197508C01FEE7B69AF02B20F404066BA05BA282DFB55D85D7B6
                          Function 0010A1B6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 0010A215
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 0010A232
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A270
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A2B4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$CompareFree
                          • String ID: `<u$email$name$uri
                          • API String ID: 3589242889-1197142144
                          • Opcode ID: 6e8b0595e8746fc4a1b985424cc1ef1159c36dc73ef4cd3bc0acaee987395fe0
                          • Instruction ID: 5378b0cb3895ce2bf3a59f53c4ff3399aeeccb6e68b914560e0c6d25e1103532
                          • Opcode Fuzzy Hash: 6e8b0595e8746fc4a1b985424cc1ef1159c36dc73ef4cd3bc0acaee987395fe0
                          • Instruction Fuzzy Hash: 9C417C31901319FBCF119B90CC55FADBB74AF04721F6082A4F561AA1E0C7B29E40DB51
                          Function 000D1131 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108stringCOMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000D116A
                            • Part of subcall function 000C1B27: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?), ref: 000C1B35
                            • Part of subcall function 000C1B27: GetLastError.KERNEL32(?,000DBD0A,00000000,00000000,?,00000000,000C7083,00000000,?,?,000CF29E,?,00000000,00000000), ref: 000C1B43
                          • lstrlenA.KERNEL32(002E0032,00000000,00000094,00000000,00000094,crypt32.dll,crypt32.dll,000D2190,swidtag,00000094,0010E500,00330074,000D2190,00000000,crypt32.dll,00000000), ref: 000D11BD
                            • Part of subcall function 000C4483: CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,000D2190,00000000,?,000D11D4,0010E500,00000080,002E0032,00000000), ref: 000C449B
                            • Part of subcall function 000C4483: GetLastError.KERNEL32(?,000D11D4,0010E500,00000080,002E0032,00000000,?,000D2190,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 000C44A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                          • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$crypt32.dll$swidtag
                          • API String ID: 904508749-2959304021
                          • Opcode ID: 3f9ad2b9bb9341a309166a404ce9986f062a64e17d0de7c3c6caee25d01c24e6
                          • Instruction ID: 54e3b997dd7781f12242343d5008435e566deb23d446b517a03255a9f5ed1bc2
                          • Opcode Fuzzy Hash: 3f9ad2b9bb9341a309166a404ce9986f062a64e17d0de7c3c6caee25d01c24e6
                          • Instruction Fuzzy Hash: 0F317031D00625FFDB119B94DC41FEDBBB6BF04710F10816AF914EA251EB729EA09BA4
                          Function 000DFE6B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadBitmapW.USER32(?,00000001), ref: 000DFEA1
                          • GetLastError.KERNEL32 ref: 000DFEAD
                          • GetObjectW.GDI32(00000000,00000018,?), ref: 000DFEF4
                          • GetCursorPos.USER32(?), ref: 000DFF15
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 000DFF27
                          • GetMonitorInfoW.USER32(00000000,?), ref: 000DFF3D
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\splashscreen.cpp, xrefs: 000DFED1
                          • (, xrefs: 000DFF34
                          • Failed to load splash screen bitmap., xrefs: 000DFEDB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                          • String ID: ($Failed to load splash screen bitmap.$c:\agent\_work\35\s\wix\src\burn\engine\splashscreen.cpp
                          • API String ID: 2342928100-3556356828
                          • Opcode ID: a099417cf18455cd15f29acdb63936723cd9e4ac442739b1b8858c7aa1b7dcd3
                          • Instruction ID: 7eb70c393405c59fb9c5e117acfa4cc30a74786fdd34e8e42d35572732b9d021
                          • Opcode Fuzzy Hash: a099417cf18455cd15f29acdb63936723cd9e4ac442739b1b8858c7aa1b7dcd3
                          • Instruction Fuzzy Hash: C1313375A002199FDB10DFB9D949A9EBBF4FF08710F048525F905EB285EB70E940CB60
                          Function 000D6D8B Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32(?,00000000,?,?,0010E500), ref: 000D6D94
                          • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 000D6E32
                          • CloseHandle.KERNEL32(00000000), ref: 000D6E4B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Process$CloseCurrentHandle
                          • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                          • API String ID: 2815245435-1352204306
                          • Opcode ID: d63636b0c331f420e82a509ada703e8c10b29094644542c75d8047e861e94a58
                          • Instruction ID: 878c7f3a0f8418167f086f19a13263c7a31632ab57af9b51a4d26cfbcf6a8770
                          • Opcode Fuzzy Hash: d63636b0c331f420e82a509ada703e8c10b29094644542c75d8047e861e94a58
                          • Instruction Fuzzy Hash: 81215C75D04319FFCB05AF98D9818EEBBB9FF04354B10456AF801A6351DB729E909B90
                          Function 000C8575 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 000C859F
                          • GetProcAddress.KERNEL32(00000000), ref: 000C85A6
                          • GetLastError.KERNEL32 ref: 000C85B0
                          Strings
                          • Failed to get msi.dll version info., xrefs: 000C85F8
                          • msi, xrefs: 000C8596
                          • Failed to find DllGetVersion entry point in msi.dll., xrefs: 000C85DE
                          • DllGetVersion, xrefs: 000C8591
                          • Failed to set variant value., xrefs: 000C861C
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C85D4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorHandleLastModuleProc
                          • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp$msi
                          • API String ID: 4275029093-2185768977
                          • Opcode ID: 2aaa7e92809dfe097d29c264c128fc5d989368c60bf27888874a4e753bf84768
                          • Instruction ID: 06258d9b669bd94705c8acba4fdfbc3cbe0ddadd3a3466583628fc40c62f00b9
                          • Opcode Fuzzy Hash: 2aaa7e92809dfe097d29c264c128fc5d989368c60bf27888874a4e753bf84768
                          • Instruction Fuzzy Hash: 6A11B472A407296AD32157A9DC06EAFBAA4AF08710B01456DFA41F7181DAF4ED4086E5
                          Function 000CF3B0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,000C64D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C7154,?), ref: 000CF3C1
                          • GetLastError.KERNEL32(?,000C64D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C7154,?,?), ref: 000CF3CE
                          • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 000CF406
                          • GetLastError.KERNEL32(?,000C64D0,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,000C7154,?,?), ref: 000CF412
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\userexperience.cpp, xrefs: 000CF3EF, 000CF433
                          • Failed to get BootstrapperApplicationCreate entry-point, xrefs: 000CF43D
                          • Failed to create UX., xrefs: 000CF456
                          • BootstrapperApplicationCreate, xrefs: 000CF400
                          • Failed to load UX DLL., xrefs: 000CF3F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$AddressLibraryLoadProc
                          • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\35\s\wix\src\burn\engine\userexperience.cpp
                          • API String ID: 1866314245-4152619562
                          • Opcode ID: 6e00d71750c24f15a8c1622f01c90a2f0c02493f0771af5cfc6cd636f6018f6e
                          • Instruction ID: 13eb3ca8c952e34acd5058d755595d149dc8beeb909a23ffb1c885089283269d
                          • Opcode Fuzzy Hash: 6e00d71750c24f15a8c1622f01c90a2f0c02493f0771af5cfc6cd636f6018f6e
                          • Instruction Fuzzy Hash: F6110133A80B32A7C72957959C06FAFAAC56F04B61F01413DFE50FB280DAA0ED004AD6
                          Function 000C14FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52libraryloadermemoryCOMMON
                          Download Yara Rule
                          APIs
                          • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C150F
                          • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C151A
                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000C1528
                          • GetLastError.KERNEL32(?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C1543
                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000C154B
                          • GetLastError.KERNEL32(?,?,?,?,?,000C118B,cabinet.dll,00000009,?,?,00000000), ref: 000C1560
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorLastProc$HandleHeapInformationModule
                          • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                          • API String ID: 3104334766-1824683568
                          • Opcode ID: e47916f76429ad90b9052bdb7c9d7e4c699ae9ca98f9e828bb69169746bb48ed
                          • Instruction ID: 202c9ffb11586ba607dc623f70472ef72152dcac3376a364d7397c83e8e553a4
                          • Opcode Fuzzy Hash: e47916f76429ad90b9052bdb7c9d7e4c699ae9ca98f9e828bb69169746bb48ed
                          • Instruction Fuzzy Hash: 70018875640615FBD7106B679C09EDF7BDCEF857947004819F88692181E7B0EA418FF1
                          Function 000E11D2 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000E11E7
                          • LeaveCriticalSection.KERNEL32(?), ref: 000E1362
                          Strings
                          • Failed to set download URL., xrefs: 000E12C1
                          • Engine is active, cannot change engine state., xrefs: 000E1201
                          • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 000E1252
                          • Failed to set download password., xrefs: 000E1310
                          • UX requested unknown payload with id: %ls, xrefs: 000E123C
                          • Failed to set download user., xrefs: 000E12EA
                          • UX did not provide container or payload id., xrefs: 000E1351
                          • UX requested unknown container with id: %ls, xrefs: 000E128C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                          • API String ID: 3168844106-2615595102
                          • Opcode ID: 028713017d91b2db8344d7158b19b085110a420562ec65b1fe5700c4ec921ff5
                          • Instruction ID: 953f04c85a3aa5845c633da406ca111968700f5f418b1b4215f703f7637f687a
                          • Opcode Fuzzy Hash: 028713017d91b2db8344d7158b19b085110a420562ec65b1fe5700c4ec921ff5
                          • Instruction Fuzzy Hash: 9141F672A00691AFCB659B36CC41FEEB7A9AF10710F184129F814F7591EB71EE50C791
                          Function 00109003 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00109040
                          • GetLastError.KERNEL32 ref: 0010904E
                          • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 0010908F
                          • GetLastError.KERNEL32 ref: 0010909C
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0010920F
                          • CloseHandle.KERNEL32(?), ref: 0010921E
                          Strings
                          • GET, xrefs: 00109143
                          • c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 00109072
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                          • String ID: GET$c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp
                          • API String ID: 2028584396-3105729718
                          • Opcode ID: 0eeff4d8116125cd62851f8ec2b9a6c0b36a99f89908f76412ca758e4c053acb
                          • Instruction ID: 794a44b7c77cdb80d67a1342ec44bc94e89dbca399b2b4f842f2c86d2238cb57
                          • Opcode Fuzzy Hash: 0eeff4d8116125cd62851f8ec2b9a6c0b36a99f89908f76412ca758e4c053acb
                          • Instruction Fuzzy Hash: 70618C72A0021AABDF11DFA4CC95BEE7BB8BF08760F114519FE95A7291D7B0D940CB90
                          Function 000D291F Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000D2CEB: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,000D293E,?,00000000,?,00000000,00000000), ref: 000D2D1A
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 000D2AC2
                          • GetLastError.KERNEL32 ref: 000D2ACF
                          Strings
                          • Failed to append package start action., xrefs: 000D2964
                          • Failed to create syncpoint event., xrefs: 000D2AFD
                          • Failed to append rollback cache action., xrefs: 000D299E
                          • c:\agent\_work\35\s\wix\src\burn\engine\plan.cpp, xrefs: 000D2AF3
                          • Failed to append payload cache action., xrefs: 000D2A79
                          • Failed to append cache action., xrefs: 000D2A19
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareCreateErrorEventLastString
                          • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$c:\agent\_work\35\s\wix\src\burn\engine\plan.cpp
                          • API String ID: 801187047-3751273790
                          • Opcode ID: 4eda20658e0f76c45dec630bb28080b5a4e207c34970350c306ce7b72bc03280
                          • Instruction ID: fb03867b7af5c1f1a2c0fbeb014564a2f16e0166616caa15218bf85c7f413bf5
                          • Opcode Fuzzy Hash: 4eda20658e0f76c45dec630bb28080b5a4e207c34970350c306ce7b72bc03280
                          • Instruction Fuzzy Hash: E6614B75600705EFDB15DF68C9809AEBBFAFF94310F21845AE9059B312EB31EA41DB60
                          Function 0010A488 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 0010A4DE
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A529
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A5A5
                          • SysFreeString.OLEAUT32(00000000), ref: 0010A5F1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$Free$Compare
                          • String ID: `<u$type$url
                          • API String ID: 1324494773-1686489133
                          • Opcode ID: a34632a4473fcf53e52e351469fc34d504bdb638e3e6ceea46ae54b60621a35d
                          • Instruction ID: 6453025c13fae82f592cf055d65c0f7d7f71add88e485df35f66db53a9da684d
                          • Opcode Fuzzy Hash: a34632a4473fcf53e52e351469fc34d504bdb638e3e6ceea46ae54b60621a35d
                          • Instruction Fuzzy Hash: 55514932901219EFCB15DBA4CC48EAEBBB8BF04310F5446A9F551EB1E0D7B1AE40DB51
                          Function 000CBBC6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBBEC
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBC11
                          Strings
                          • Failed to format component id string., xrefs: 000CBBF7
                          • Failed to set variable., xrefs: 000CBCF5
                          • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 000CBD05
                          • Failed to format product code string., xrefs: 000CBC1C
                          • Failed to get component path: %d, xrefs: 000CBC75
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open@16
                          • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                          • API String ID: 3613110473-1671347822
                          • Opcode ID: 660177e74bfe337c13ad8d357e72c952c268188f304e7a37476a4083c97bc632
                          • Instruction ID: 1328ee40ab96096e7423bbc2415b4ed7d3bc12283b6ea6961b88f05dd6d5b95e
                          • Opcode Fuzzy Hash: 660177e74bfe337c13ad8d357e72c952c268188f304e7a37476a4083c97bc632
                          • Instruction Fuzzy Hash: 7D41E232900105BACF759BA88CC7FBEB6B9EF14310F24452AF911E1092DB719A50EB91
                          Function 000D65F1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNEL32(00000000,00000001,00000008,?,00000000,?,00000000,00000000,00000001,00000000,?,?,?,00000000,crypt32.dll,00000000), ref: 000D661C
                          • GetLastError.KERNEL32 ref: 000D6629
                          • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 000D66D4
                          • GetLastError.KERNEL32 ref: 000D66DE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastRead
                          • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp
                          • API String ID: 1948546556-3530049336
                          • Opcode ID: ba10f0ec6676430fb35e0d794acd220714ca8ea1fa87d3d36bad56e78904aaac
                          • Instruction ID: 90c6430fa96710025720a9afb3c027bbb3fd8215dcbaafa310e752a7471b7076
                          • Opcode Fuzzy Hash: ba10f0ec6676430fb35e0d794acd220714ca8ea1fa87d3d36bad56e78904aaac
                          • Instruction Fuzzy Hash: BD31E772D44329BBDB209BA5DD45BAEFAA8BF04755F10812BFC40E6380E775DD408AE0
                          Function 000D709D Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,000C7154,00000000,00000000,?,00000000), ref: 000D7146
                          • GetLastError.KERNEL32(?,?,?,000C692F,?,?,00000000,?,?,?,?,?,?,0010E4A0,?,?), ref: 000D7151
                          Strings
                          • Failed to post terminate message to child process., xrefs: 000D7131
                          • Failed to post terminate message to child process cache thread., xrefs: 000D7115
                          • Failed to wait for child process exit., xrefs: 000D717F
                          • Failed to write restart to message buffer., xrefs: 000D70E9
                          • c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp, xrefs: 000D7175
                          • Failed to write exit code to message buffer., xrefs: 000D70C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastObjectSingleWait
                          • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp
                          • API String ID: 1211598281-3195541269
                          • Opcode ID: 6bed4e63a1b8ba6e466a700b7da81cac2c7a3b381c9b8a60bb182325298136da
                          • Instruction ID: 80a84e9556a677cbff8bf04639be067c5e7f2c8e434fac2afd48ea85836b39d3
                          • Opcode Fuzzy Hash: 6bed4e63a1b8ba6e466a700b7da81cac2c7a3b381c9b8a60bb182325298136da
                          • Instruction Fuzzy Hash: A921E636948729BBCB225A94CC01EDEBA79AF00724F100353F904B63C1E771AE5097E1
                          Function 000DACB9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,000DBB28,00000003,000007D0,00000003,?,000007D0), ref: 000DACD3
                          • GetLastError.KERNEL32(?,000DBB28,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 000DACE0
                          • CloseHandle.KERNEL32(00000000,?,000DBB28,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 000DADA8
                          Strings
                          • Failed to open payload at path: %ls, xrefs: 000DAD24
                          • Failed to verify hash of payload: %ls, xrefs: 000DAD93
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DAD17
                          • Failed to verify signature of payload: %ls, xrefs: 000DAD50
                          • Failed to verify catalog signature of payload: %ls, xrefs: 000DAD6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLast
                          • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 2528220319-878816424
                          • Opcode ID: 8590f7f719b0910812df4a8c58bb38f33555803a07ad7e89c19a1290c61253f5
                          • Instruction ID: 8803402cfb472f8c325a85150f3c06bab159a3efb776f7f80ad123c4dd46dc66
                          • Opcode Fuzzy Hash: 8590f7f719b0910812df4a8c58bb38f33555803a07ad7e89c19a1290c61253f5
                          • Instruction Fuzzy Hash: 77213532740735BBCB621A64CC45FAE7A5AAF12766F114212FC0225B90D7769CA0DAE3
                          Function 000C8825 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 000C8870
                          • GetLastError.KERNEL32 ref: 000C887A
                          • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 000C88BE
                          • GetLastError.KERNEL32 ref: 000C88C8
                          Strings
                          • Failed to get volume path name., xrefs: 000C88F6
                          • Failed to set variant value., xrefs: 000C8912
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C889E, 000C88EC
                          • Failed to get windows directory., xrefs: 000C88A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$DirectoryNamePathVolumeWindows
                          • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 124030351-4106571065
                          • Opcode ID: 217edd1c26df9bbd392d30c93ce6b3ee8e5d74c2ceffa526689eb633838d9698
                          • Instruction ID: 0d36531c8f80b7b824b324bba8411f1fdce372fb35bab360ed87b33121d5bae6
                          • Opcode Fuzzy Hash: 217edd1c26df9bbd392d30c93ce6b3ee8e5d74c2ceffa526689eb633838d9698
                          • Instruction Fuzzy Hash: 03214773E4023963C72097648C0AFEF76ACAB01710F114169BE44F7682EEB49E4487E9
                          Function 000CB96A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CB983
                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,000CC5A7,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 000CB99B
                          • GetLastError.KERNEL32(?,000CC5A7,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 000CB9A8
                          Strings
                          • Failed to format variable string., xrefs: 000CB98E
                          • Failed to set variable., xrefs: 000CBA31
                          • File search: %ls, did not find path: %ls, xrefs: 000CB9FA
                          • Failed get to file attributes. '%ls', xrefs: 000CB9E5
                          • c:\agent\_work\35\s\wix\src\burn\engine\search.cpp, xrefs: 000CB9D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLastOpen@16
                          • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$c:\agent\_work\35\s\wix\src\burn\engine\search.cpp
                          • API String ID: 1811509786-1734633593
                          • Opcode ID: e6a95248ef6851129ec7985627dd21bd4f3a10d06cb585313527229f31b97d2b
                          • Instruction ID: 0fb5e1d6baca6d4e98f2318a696a7ec8cf64d7b923c3b4602d0958b9a42f5a73
                          • Opcode Fuzzy Hash: e6a95248ef6851129ec7985627dd21bd4f3a10d06cb585313527229f31b97d2b
                          • Instruction Fuzzy Hash: D5212933E40524BBCB2167A49D07FEEBAA6EF15720F10412DFE51B6191E7B09D4096D1
                          Function 000DC960 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • TlsSetValue.KERNEL32(?,?), ref: 000DC977
                          • GetLastError.KERNEL32 ref: 000DC981
                          • CoInitializeEx.OLE32(00000000,00000000), ref: 000DC9C0
                          • CoUninitialize.OLE32(?,000DE319,?,?), ref: 000DC9FD
                          Strings
                          • Failed to pump messages in child process., xrefs: 000DC9EB
                          • Failed to initialize COM., xrefs: 000DC9CC
                          • c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp, xrefs: 000DC9A5
                          • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 000DC9AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorInitializeLastUninitializeValue
                          • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp
                          • API String ID: 876858697-2972720338
                          • Opcode ID: 980baaa8e4e2f0fa5fb0d05307103f4a92ca4e2f5b7391efe667275d01968034
                          • Instruction ID: 825f2d50eaa916972ea9be6a038bd44a145ff0aec3d51c90d985dcd60039dfd5
                          • Opcode Fuzzy Hash: 980baaa8e4e2f0fa5fb0d05307103f4a92ca4e2f5b7391efe667275d01968034
                          • Instruction Fuzzy Hash: 7011C136941732BBD7216B55DC19D9FFEA8AF00B60701012BF941BB280DBB0AD40CAE0
                          Function 000C799D Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 000C7A23
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000C59DD
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000C5A15
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$Close
                          • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                          • API String ID: 1979452859-3209209246
                          • Opcode ID: 29ffca4d6db687759436fb04326bb8ec61f9ae4b640938d115dada82ca3c4033
                          • Instruction ID: e630f4519f17381d62487b1f5557f0298d4115e8d5ed4b5a2ec41d7fcac43b84
                          • Opcode Fuzzy Hash: 29ffca4d6db687759436fb04326bb8ec61f9ae4b640938d115dada82ca3c4033
                          • Instruction Fuzzy Hash: 27014532E44624FBCF169790DC02FDE7A69EF65B20F104129F808B61529BB09E808AC0
                          Function 000EBCFC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 173COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000000,00000000,?), ref: 000EBDC9
                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 000EBDD3
                          Strings
                          • Failed to clear readonly bit on payload destination path: %ls, xrefs: 000EBE02
                          • :, xrefs: 000EBE4C
                          • c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp, xrefs: 000EBDF7
                          • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 000EBEB0
                          • download, xrefs: 000EBD93
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLast
                          • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\35\s\wix\src\burn\engine\apply.cpp$download
                          • API String ID: 1799206407-252053349
                          • Opcode ID: eef6b4c8532babc60fbb908e4a77050b3d66fac9c034b8db3b408c0fb23df1e1
                          • Instruction ID: 68aa2dd6f36d40e2c8b591cc81121b936b18d5a9fe8daf1101a6ae6cbf59bc0b
                          • Opcode Fuzzy Hash: eef6b4c8532babc60fbb908e4a77050b3d66fac9c034b8db3b408c0fb23df1e1
                          • Instruction Fuzzy Hash: E5516B71A00269AFDB11DFAAC841EEFB7F5AF14714F10855AEA04BB251E771EE40CB90
                          Function 0010BA3C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,000EAAF7,000002C0,00000100), ref: 0010BA6A
                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,000EAAF7,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 0010BA85
                          Strings
                          • application, xrefs: 0010BA77
                          • c:\agent\_work\35\s\wix\src\libs\dutil\apuputil.cpp, xrefs: 0010BB20
                          • type, xrefs: 0010BAAC
                          • http://appsyndication.org/2006/appsyn, xrefs: 0010BA5D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareHeapString$AllocateProcess
                          • String ID: application$c:\agent\_work\35\s\wix\src\libs\dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                          • API String ID: 2664528157-1883415507
                          • Opcode ID: 2d35822b79c2d844186550ec6aa74d5eb7dbee6b5253ca954391fabba6f21f98
                          • Instruction ID: d72174f6d61164c71aa9cff93569f8a3fba7188fd11b290fdcf4344fa3ff4282
                          • Opcode Fuzzy Hash: 2d35822b79c2d844186550ec6aa74d5eb7dbee6b5253ca954391fabba6f21f98
                          • Instruction Fuzzy Hash: 4951B131608705EBEB259F55CCC2F6A77A5AF00760F208618F9A6DB2D5DBB4E940CB50
                          Function 00109A52 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 00109AAE
                          • DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00109BA5
                          • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00109BB4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseDeleteErrorFileHandleLast
                          • String ID: Burn$DownloadTimeout$WiX\Burn$c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp
                          • API String ID: 3522763407-3682416285
                          • Opcode ID: fa5ba60ef49e4936c6739754872121f329973b483664aa61a832dfcbe054acc8
                          • Instruction ID: 32394167c91171d5a6d0e1407b0100ecce5e34283bc6c29559a485a251860609
                          • Opcode Fuzzy Hash: fa5ba60ef49e4936c6739754872121f329973b483664aa61a832dfcbe054acc8
                          • Instruction Fuzzy Hash: 30516A76D00229BFDF12DFA4CC81EEEBBB9EF08710F004165FA54E6191E7749A509BA0
                          Function 000DAEA6 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                          • _memcmp.LIBVCRUNTIME ref: 000DAF34
                            • Part of subcall function 00108C80: GetLastError.KERNEL32(?,?,000DAF59,?,00000003,000C714F,?), ref: 00108C9F
                          • _memcmp.LIBVCRUNTIME ref: 000DAF6E
                          • GetLastError.KERNEL32 ref: 000DAFE6
                          Strings
                          • Failed to find expected public key in certificate chain., xrefs: 000DAFA9
                          • Failed to get certificate public key identifier., xrefs: 000DB014
                          • Failed to read certificate thumbprint., xrefs: 000DAFDA
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DB00A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast_memcmp
                          • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 3428363238-3005867404
                          • Opcode ID: e9eae40180ddb583087b06d87bd381f27d3ecd4eb636d0de517c6049d4fdf736
                          • Instruction ID: f9046b976e35fecd4c46044baf9b6ccb3d2bbf8ab79acbfd2fc527779ded741c
                          • Opcode Fuzzy Hash: e9eae40180ddb583087b06d87bd381f27d3ecd4eb636d0de517c6049d4fdf736
                          • Instruction Fuzzy Hash: 4B414DB2F04319ABDB60DBA9C841EEEB7F8AB09710F0541A6F904A7641D774ED408BB5
                          Function 000D2271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 000D23A2
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 000D23B1
                            • Part of subcall function 000C54AE: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000D22E9,?,00000000,00020006), ref: 000C54D3
                          Strings
                          • Failed to update resume mode., xrefs: 000D2386
                          • Failed to write volatile reboot required registry key., xrefs: 000D22ED
                          • Failed to open registration key., xrefs: 000D23E7
                          • Failed to delete registration key: %ls, xrefs: 000D2350
                          • %ls.RebootRequired, xrefs: 000D22BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close$Create
                          • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                          • API String ID: 359002179-2517785395
                          • Opcode ID: fdf0ede5b100ffd5294ccc7674a84e17f30582b371a2516a369920ae8269ef09
                          • Instruction ID: b739c4aef68b517e09be3f44a14068b695d724c8fa62553f2f4f07322dafc13b
                          • Opcode Fuzzy Hash: fdf0ede5b100ffd5294ccc7674a84e17f30582b371a2516a369920ae8269ef09
                          • Instruction Fuzzy Hash: 66419331900714FBDF22AFA0DC02EEF7BBABF60711F10042AF94561252DB769A50DB61
                          Function 000D14EC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 000D161C
                          • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 000D1629
                          Strings
                          • Resume, xrefs: 000D1590
                          • Failed to open registration key., xrefs: 000D1585
                          • Failed to format pending restart registry key to read., xrefs: 000D1520
                          • %ls.RebootRequired, xrefs: 000D1509
                          • Failed to read Resume value., xrefs: 000D15B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close
                          • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                          • API String ID: 3535843008-3890505273
                          • Opcode ID: a491ab1c6ef201a3cfb01650dfe1823d692c7066ac4c6c2e8f5edd5fab08c22a
                          • Instruction ID: 0dfc89c833379130528e1431984be495ba3240440106ce224ef0a3228ad8f178
                          • Opcode Fuzzy Hash: a491ab1c6ef201a3cfb01650dfe1823d692c7066ac4c6c2e8f5edd5fab08c22a
                          • Instruction Fuzzy Hash: 89416B75A44618FFCB219F98D880AEDBBB4FB44310F194167E812AB355CB75EE80DB60
                          Function 000E5483 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000E54EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open@16
                          • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.$feclient.dll
                          • API String ID: 3613110473-656185529
                          • Opcode ID: 88b26e8addbb7c9d38eeed6a8186922bfb3f125b8d37a8b50a3b959105703cc9
                          • Instruction ID: 4737a9a98be9a901627e2c6a2a199b4041894b352f75415a350343a38314e7de
                          • Opcode Fuzzy Hash: 88b26e8addbb7c9d38eeed6a8186922bfb3f125b8d37a8b50a3b959105703cc9
                          • Instruction Fuzzy Hash: 2A312372D00A29BFDF159F55CC01EAE7BB9AF0431AF10452AF80172282E371AF20CB94
                          Function 000DC62B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                          • API String ID: 0-660234312
                          • Opcode ID: e8efdc2d6df2b51a2acafb8f4a2e8bfb132cab1a4f73cae362a38eb788a71311
                          • Instruction ID: 4af387e931463bf1f84dada7b05c2710ae04bed7d3220c284ec7804626dc2fc1
                          • Opcode Fuzzy Hash: e8efdc2d6df2b51a2acafb8f4a2e8bfb132cab1a4f73cae362a38eb788a71311
                          • Instruction Fuzzy Hash: 2B31A932D08216BBDF219B94CC45FDEBBB9EB04760F104666F820B62D1D7719E40DAA4
                          Function 000EF2CA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(0012444C,00000000,00000017,0012445C,?,?,00000000,00000000,?,?,?,?,?,000EF8F0,00000000,00000000), ref: 000EF302
                          Strings
                          • WixBurn, xrefs: 000EF32D
                          • Failed to set progress timeout., xrefs: 000EF36C
                          • Failed to set BITS job to foreground., xrefs: 000EF383
                          • Failed to set notification flags for BITS job., xrefs: 000EF354
                          • Failed to create IBackgroundCopyManager., xrefs: 000EF30E
                          • Failed to create BITS job., xrefs: 000EF33C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateInstance
                          • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                          • API String ID: 542301482-468763447
                          • Opcode ID: 3626e3096b3766fe428691048d1f7a88bcd8819f9383a0e557ff1447d9eb1830
                          • Instruction ID: 2be307ab052f46557954fd5b6757ab713c6c427665482db7c5d567036672c30d
                          • Opcode Fuzzy Hash: 3626e3096b3766fe428691048d1f7a88bcd8819f9383a0e557ff1447d9eb1830
                          • Instruction Fuzzy Hash: 57317031B41266AFDB24DBA9D845E7FBBB4AF48710B114169F901FB290CB70EE018B90
                          Function 0010934F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00109399
                          • GetLastError.KERNEL32 ref: 001093A6
                          • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 001093ED
                          • GetLastError.KERNEL32 ref: 00109421
                          • CloseHandle.KERNEL32(00000000,c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp,000000C8,00000000), ref: 00109455
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLast$CloseCreateHandleRead
                          • String ID: %ls.R$c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp
                          • API String ID: 3160720760-3285732629
                          • Opcode ID: 1304dc8903c6705820acf43ba06746478195d6ce941fb5b791fc6f6674c0d0bf
                          • Instruction ID: 50c1c50a0bc2bcc07f6524e06c763dc2691c770ae5cec99e47227b6ff0135ed9
                          • Opcode Fuzzy Hash: 1304dc8903c6705820acf43ba06746478195d6ce941fb5b791fc6f6674c0d0bf
                          • Instruction Fuzzy Hash: 9631D672A41224ABE7208BA4CD55BAE7AA4FF05720F114255FE91EF2C2E7F09D0187A1
                          Function 000CE5E2 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000CEA56: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,000D0124,000000FF,00000000,00000000,000D0124,?,?,000CF8CE,?,?,?,?), ref: 000CEA81
                          • CreateFileW.KERNEL32(E90010EC,80000000,00000005,00000000,00000003,08000000,00000000,000C708B,?,00000000,840F01E8,84680A79,00000001,000C7083,00000000,000C714F), ref: 000CE652
                          • GetLastError.KERNEL32(?,?,?,000D944A,000C7333,000C713F,000C713F,00000000,?,000C714F,FFF9E89D,000C714F,000C7183,000C710B,?,000C710B), ref: 000CE697
                          Strings
                          • Failed to verify catalog signature: %ls, xrefs: 000CE690
                          • c:\agent\_work\35\s\wix\src\burn\engine\catalog.cpp, xrefs: 000CE6B8
                          • Failed to find payload for catalog file., xrefs: 000CE6DC
                          • Failed to get catalog local file path, xrefs: 000CE6D5
                          • Failed to open catalog in working path: %ls, xrefs: 000CE6C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareCreateErrorFileLastString
                          • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$c:\agent\_work\35\s\wix\src\burn\engine\catalog.cpp
                          • API String ID: 1774366664-3143077926
                          • Opcode ID: 28ed022e2f4ff3917f3dc3db4138d59bb1462ec798602f12ea2f1eacacb8a4d9
                          • Instruction ID: 780bc0633b5ed2923cfe65f3d24a76a16905f2ebcae78e81ed29b46451b068db
                          • Opcode Fuzzy Hash: 28ed022e2f4ff3917f3dc3db4138d59bb1462ec798602f12ea2f1eacacb8a4d9
                          • Instruction Fuzzy Hash: EC313532A00621BFDB249B54CC42F9DBBA5EF10790F208129F904AB280E7B1ED508BD4
                          Function 00105A42 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00105AB2
                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00105ABC
                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00105B05
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00105B12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle$CreateErrorLastProcess
                          • String ID: "%ls" %ls$D$c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp
                          • API String ID: 161867955-1953366198
                          • Opcode ID: ea8197b85a6b6cc5d7ad76784143595279255fcad8f1dcb36c31561f51ee6d2f
                          • Instruction ID: 76aa27ceb0b78bad5ae04071f0a06d1199ec8eba53f5a56a9f91af87b9032a72
                          • Opcode Fuzzy Hash: ea8197b85a6b6cc5d7ad76784143595279255fcad8f1dcb36c31561f51ee6d2f
                          • Instruction Fuzzy Hash: E6213C72A0065EEBDB119FD5CD81AEFBBB9EF04354F100525EA41B7291E3B09E009AA1
                          Function 000EED6F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,000EF06B,?), ref: 000EED8E
                          • ReleaseMutex.KERNEL32(?,?,?,000EF06B,?), ref: 000EEDA2
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000EEDE7
                          • ReleaseMutex.KERNEL32(?), ref: 000EEDFA
                          • SetEvent.KERNEL32(?), ref: 000EEE03
                          Strings
                          • Failed to get message from netfx chainer., xrefs: 000EEE24
                          • Failed to send files in use message from netfx chainer., xrefs: 000EEE47
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: MutexObjectReleaseSingleWait$Event
                          • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                          • API String ID: 2608678126-3424578679
                          • Opcode ID: 58a9d9b79b1ba1bd96ec740aa8f3a744a54083cc7cb5f7806e817c680931b93f
                          • Instruction ID: 847220f2ecff68ad10b46ebe084185173a2c71b70a97b35b979909e55602ea75
                          • Opcode Fuzzy Hash: 58a9d9b79b1ba1bd96ec740aa8f3a744a54083cc7cb5f7806e817c680931b93f
                          • Instruction Fuzzy Hash: C631053250069EBFCB019F55CC44EEEBBF8BF04324F148265F511A32A1C7B5E9548B90
                          Function 000CB899 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CB8B2
                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,000CC5BD,00000100,000002C0,000002C0,00000100), ref: 000CB8D2
                          • GetLastError.KERNEL32(?,000CC5BD,00000100,000002C0,000002C0,00000100), ref: 000CB8DD
                          Strings
                          • Failed to format variable string., xrefs: 000CB8BD
                          • Failed to set directory search path variable., xrefs: 000CB90E
                          • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 000CB949
                          • Failed while searching directory search: %ls, for path: %ls, xrefs: 000CB933
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLastOpen@16
                          • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                          • API String ID: 1811509786-2966038646
                          • Opcode ID: 0cc034125df7a1ea1e9c1dbcf7d45138723e0160137c6d2a4e09d9ab6de35f70
                          • Instruction ID: 4ce05bbba78e8bb9aeb6d81ea081df02d650e1b1c478c971f999a6abf887ad63
                          • Opcode Fuzzy Hash: 0cc034125df7a1ea1e9c1dbcf7d45138723e0160137c6d2a4e09d9ab6de35f70
                          • Instruction Fuzzy Hash: 62113537940022B7CB226B988C07F9EFF65EF10720F204229FA14B61A1D7719E50EBD4
                          Function 000CBA4E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBA67
                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,000CC595,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 000CBA87
                          • GetLastError.KERNEL32(?,000CC595,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 000CBA92
                          Strings
                          • Failed while searching file search: %ls, for path: %ls, xrefs: 000CBAC0
                          • Failed to set variable to file search path., xrefs: 000CBAEA
                          • Failed to format variable string., xrefs: 000CBA72
                          • File search: %ls, did not find path: %ls, xrefs: 000CBAF6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLastOpen@16
                          • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                          • API String ID: 1811509786-3425311760
                          • Opcode ID: f3193237dfc7d6f8818a1002d17e324cdeca752a45978e977c0b0689aef873e0
                          • Instruction ID: 81e50eade001f7f834f7388cb52056c78aa3df26437bcf712488115f87d283d2
                          • Opcode Fuzzy Hash: f3193237dfc7d6f8818a1002d17e324cdeca752a45978e977c0b0689aef873e0
                          • Instruction Fuzzy Hash: 4A112733980124BBCF226795DC07FEEBF65AF10720F200219F98076191D7B19E50EAC2
                          Function 000DEB17 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C), ref: 000DEB29
                          • GetLastError.KERNEL32(?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C,?,?,?), ref: 000DEB33
                          • GetExitCodeThread.KERNEL32(?,?,?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C,?), ref: 000DEB6F
                          • GetLastError.KERNEL32(?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C,?,?,?), ref: 000DEB79
                          Strings
                          • Failed to wait for cache thread to terminate., xrefs: 000DEB61
                          • Failed to get cache thread exit code., xrefs: 000DEBA7
                          • c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp, xrefs: 000DEB57, 000DEB9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                          • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp
                          • API String ID: 3686190907-1114076909
                          • Opcode ID: 77cb3744a7b1f0462a09561ed9d9521aa2a2e80192b6ac6e587c887c9bd604b0
                          • Instruction ID: f17ce6baaaf761ad4623c9eeda15c9af9470f9de21cf9625feb5603b7327b062
                          • Opcode Fuzzy Hash: 77cb3744a7b1f0462a09561ed9d9521aa2a2e80192b6ac6e587c887c9bd604b0
                          • Instruction Fuzzy Hash: E5012273A4073163D72027519D0AB8B6ED8AB00B60B020127FE42BE281E7A4EE4085F6
                          Function 000D85E6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,000D8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 000D85F3
                          • GetLastError.KERNEL32(?,000D8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 000D85FD
                          • GetExitCodeThread.KERNEL32(00000001,00000000,?,000D8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 000D863C
                          • GetLastError.KERNEL32(?,000D8B21,?,?,00000000,crypt32.dll,00000000,00000001), ref: 000D8646
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\core.cpp, xrefs: 000D8624, 000D866D
                          • Failed to wait for cache thread to terminate., xrefs: 000D862E
                          • Failed to get cache thread exit code., xrefs: 000D8677
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                          • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\35\s\wix\src\burn\engine\core.cpp
                          • API String ID: 3686190907-3184435917
                          • Opcode ID: 1a486460ac4b5918cb131e589fffadb8698d36d0d9049ad68609d53da7bf11f1
                          • Instruction ID: d2f7338f6bd2c9ef545fcb88f04ee0c6d4df74e21f1669d95e13ee04fe8fde3e
                          • Opcode Fuzzy Hash: 1a486460ac4b5918cb131e589fffadb8698d36d0d9049ad68609d53da7bf11f1
                          • Instruction Fuzzy Hash: 1B11C470740306FBE7009F619D06BEE7AE8AB00764F10816AF954EA290EFB5CB409B75
                          Function 000DC7C7 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 131COMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(000C714F,000000FF,000C710B,000D944A,000C7083,00000000,?), ref: 000DC8B8
                          • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,000C714F,000000FF,000C710B,000D944A,000C7083,00000000,?), ref: 000DC8FC
                            • Part of subcall function 000DAEA6: _memcmp.LIBVCRUNTIME ref: 000DAF34
                            • Part of subcall function 000DAEA6: _memcmp.LIBVCRUNTIME ref: 000DAF6E
                          Strings
                          • Failed authenticode verification of payload: %ls, xrefs: 000DC899
                          • 0, xrefs: 000DC834
                          • Failed to verify expected payload against actual certificate chain., xrefs: 000DC940
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DC88E, 000DC8DC, 000DC920
                          • Failed to get signer chain from authenticode certificate., xrefs: 000DC92A
                          • Failed to get provider state from authenticode certificate., xrefs: 000DC8E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast_memcmp
                          • String ID: 0$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 3428363238-1322580310
                          • Opcode ID: 0d1b3516402a4dd7be15f1d527de096da0e033a3288dc73d69221d1c4b85810b
                          • Instruction ID: 1326d6c3d5236654822e873e1f2aac2b13a720c3c33c7792a1639d923f157a29
                          • Opcode Fuzzy Hash: 0d1b3516402a4dd7be15f1d527de096da0e033a3288dc73d69221d1c4b85810b
                          • Instruction Fuzzy Hash: B641E8B2D05329ABDB14DF94D945EDEBAB8AF04710F10022AF901B7381EB759D00CBE5
                          Function 000E1370 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000E1385
                          • LeaveCriticalSection.KERNEL32(?), ref: 000E1492
                          Strings
                          • UX denied while trying to set source on embedded payload: %ls, xrefs: 000E1407
                          • Engine is active, cannot change engine state., xrefs: 000E139F
                          • UX requested unknown payload with id: %ls, xrefs: 000E13F1
                          • Failed to set source path for payload., xrefs: 000E1421
                          • Failed to set source path for container., xrefs: 000E1477
                          • UX requested unknown container with id: %ls, xrefs: 000E1451
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                          • API String ID: 3168844106-4121889706
                          • Opcode ID: 486ed882db68ab71075d871e65630a8f0de575dd473ffeb50efc089fb1c0aa63
                          • Instruction ID: b9525157e02470c4742a38c5e3c531ef2313f1bb7624edf145c60e4dd7e80d5a
                          • Opcode Fuzzy Hash: 486ed882db68ab71075d871e65630a8f0de575dd473ffeb50efc089fb1c0aa63
                          • Instruction Fuzzy Hash: 153124B2A40651AFCB249B5ADC45DDF77E8EF54720704412AF804FB381DB74ED408690
                          Function 000C8EFF Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00000000), ref: 000C8F12
                          Strings
                          • Failed to copy string., xrefs: 000C8FC6
                          • Failed to append characters., xrefs: 000C8F9E
                          • Failed to format escape sequence., xrefs: 000C8FAC
                          • Failed to append escape sequence., xrefs: 000C8FA5
                          • Failed to allocate buffer for escaped string., xrefs: 000C8F29
                          • [\%c], xrefs: 000C8F71
                          • []{}, xrefs: 000C8F3C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                          • API String ID: 1659193697-3250950999
                          • Opcode ID: f00c3031da29a149288285d05e47b00eb4befe084e19f5b361592d047e5ea525
                          • Instruction ID: fb3bc4da65fbda54b4223fca4bb12f15be49889e9846fc3515feab8ba488598d
                          • Opcode Fuzzy Hash: f00c3031da29a149288285d05e47b00eb4befe084e19f5b361592d047e5ea525
                          • Instruction Fuzzy Hash: 05210C32D48218BBDB265790DC46FEF77AAAB14720F21413DF900B6191DFB4AF819754
                          Function 000E76B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 206COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(00000000,00000000,0010E500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,000E82A4,?,00000001,?,00000000), ref: 000E7719
                          Strings
                          • feclient.dll, xrefs: 000E770F, 000E7837
                          • Failed to insert execute action., xrefs: 000E776E
                          • Failed to copy target product code., xrefs: 000E784A
                          • Failed to plan action for target product., xrefs: 000E77C4
                          • Failed grow array of ordered patches., xrefs: 000E77B2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
                          • API String ID: 1825529933-3477540455
                          • Opcode ID: afce08b078a2bfbb8707466636000fc15c46f274fccd7d7db6d49d9429d7d86f
                          • Instruction ID: b5f2a3e175a445cb2ecc0527137d0fc18bc354100072795bc3d37e79069642b2
                          • Opcode Fuzzy Hash: afce08b078a2bfbb8707466636000fc15c46f274fccd7d7db6d49d9429d7d86f
                          • Instruction Fuzzy Hash: 548137B960838A9FCB55CF59C880AAA77E5FF08324F11456AED59AB352D730EC11CF90
                          Function 000EAD02 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,000D8D42,000000B8,0000001C,00000100), ref: 000EAD2D
                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0010E4B8,000000FF,?,?,?,000D8D42,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 000EADB7
                          Strings
                          • BA aborted detect forward compatible bundle., xrefs: 000EAE21
                          • c:\agent\_work\35\s\wix\src\burn\engine\detect.cpp, xrefs: 000EAE17
                          • Failed to initialize update bundle., xrefs: 000EAE5A
                          • comres.dll, xrefs: 000EAE39
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$c:\agent\_work\35\s\wix\src\burn\engine\detect.cpp$comres.dll
                          • API String ID: 1825529933-4267508406
                          • Opcode ID: c13aff146f395ffc85b734633a3795d5ca60cdc0f132382fb2c1ae84ca16d772
                          • Instruction ID: cf0189797d080174f951d5598b0ccacb5c56fbd230f23328b6272890e17cbbea
                          • Opcode Fuzzy Hash: c13aff146f395ffc85b734633a3795d5ca60cdc0f132382fb2c1ae84ca16d772
                          • Instruction Fuzzy Hash: 3751F030604251FFDF298F65CC81FAAB7A6FF0A310F104259F915AA2A1C771E860CBA1
                          Function 000DF009 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(00000000,?,?,00000001,0010E500,?,00000001,000000FF,?,?,00000000,00000000,00000001,00000000,?,000D9106), ref: 000DF13F
                          Strings
                          • Failed to create pipe and cache pipe., xrefs: 000DF08F
                          • Failed to connect to elevated child process., xrefs: 000DF128
                          • Failed to elevate., xrefs: 000DF121
                          • UX aborted elevation requirement., xrefs: 000DF047
                          • Failed to create pipe name and client token., xrefs: 000DF073
                          • c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp, xrefs: 000DF03D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp
                          • API String ID: 2962429428-4142544803
                          • Opcode ID: 13636e20db99fc570c6c147387baf32fe2884028290f0a0560562374c1f5e8df
                          • Instruction ID: 52624494f0aac51ac1cfa2d8838610ff78713df8a9b1d3440e61fb923ab5e5f7
                          • Opcode Fuzzy Hash: 13636e20db99fc570c6c147387baf32fe2884028290f0a0560562374c1f5e8df
                          • Instruction Fuzzy Hash: 0C312C76645723BAE725A260DC47FFE765CAB00730F108227F906BB382DBA5AD4046F5
                          Function 00105407 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0010544B
                          • GetComputerNameW.KERNEL32(?,?), ref: 001054A3
                          Strings
                          • === Logging started: %ls ===, xrefs: 001054CE
                          • Executable: %ls v%d.%d.%d.%d, xrefs: 001054FF
                          • Computer : %ls, xrefs: 00105511
                          • --- logging level: %hs ---, xrefs: 00105563
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Name$ComputerFileModule
                          • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                          • API String ID: 2577110986-3153207428
                          • Opcode ID: 7440cd50c76d202eb3409516b2428f98a5b7860b22e48f1b0194b9e5d6d99a32
                          • Instruction ID: ea5939a82999252d199901d3eb43037f805dc357bcb7a2f07af1fa5e042e292b
                          • Opcode Fuzzy Hash: 7440cd50c76d202eb3409516b2428f98a5b7860b22e48f1b0194b9e5d6d99a32
                          • Instruction Fuzzy Hash: EE41B3B190011CABDB24DB64DC84AEB77BDEB44300F4481AAFA85E3182D7709EC58F64
                          Function 0010CA28 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000001,00000001,crypt32.dll,00000000,00000001,0010E500,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 0010CB00
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,crypt32.dll,00000000,00000001,0010E500,00000000,00000001,00000000,00020019), ref: 0010CB3B
                          • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 0010CB57
                          • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 0010CB64
                          • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 0010CB71
                            • Part of subcall function 000C588F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0010CAED,00000001), ref: 000C58A7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close$InfoOpenQuery
                          • String ID: crypt32.dll
                          • API String ID: 796878624-1661610138
                          • Opcode ID: 0cd09571f658b2316aac56dc77d27716afd259e8a2646ffeb33dd198d045083d
                          • Instruction ID: 82bc3694e6976513fb9f18826d086bc629b5afcb88fc980f20832ed5772ddb60
                          • Opcode Fuzzy Hash: 0cd09571f658b2316aac56dc77d27716afd259e8a2646ffeb33dd198d045083d
                          • Instruction Fuzzy Hash: 9A414A76C01229BFCF21AFD8CD829EDFB79AF04790F1542AAA94077161DB705E509ED0
                          Function 00105630 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(0012F764,00000000,?,?,?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?), ref: 00105640
                          • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0012F75C,?,000D5ECA,00000000,Setup), ref: 001056E4
                          • GetLastError.KERNEL32(?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?,?,?), ref: 001056F4
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?), ref: 0010572E
                            • Part of subcall function 000C4832: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 000C497C
                          • LeaveCriticalSection.KERNEL32(0012F764,?,?,0012F75C,?,000D5ECA,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000C71C0,?), ref: 00105787
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp, xrefs: 00105713
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp
                          • API String ID: 4111229724-2202919084
                          • Opcode ID: ab8e64103cfac12696abc0cc65b3fae105d5c00b20e5490da27c95eb375f9d3f
                          • Instruction ID: 97a118ac5d8b8dc1008cefcef9b3c86b6c8d979d689796b0a386b390b2adc1ea
                          • Opcode Fuzzy Hash: ab8e64103cfac12696abc0cc65b3fae105d5c00b20e5490da27c95eb375f9d3f
                          • Instruction Fuzzy Hash: 4931B935940665FFDB215F60AD85E9F3ABAFB00754F404138FD80A61A2D7B0CD51AFA0
                          Function 000C5E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116stringregistryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 000C5E74
                          • lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 000C5ED6
                          • lstrlenW.KERNEL32(?), ref: 000C5EE2
                          • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 000C5F25
                          Strings
                          • BundleUpgradeCode, xrefs: 000C5E41
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C5F4D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: lstrlen$Value
                          • String ID: BundleUpgradeCode$c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 198323757-2835200066
                          • Opcode ID: 8a6b7c42d76ebf8e9c25b660fa094701627d46e71441b0b94da02f5e9234efef
                          • Instruction ID: 65d3567c45401f4511c3cd9f1fd7f59307ed5aa6cee24923450988c48248b35f
                          • Opcode Fuzzy Hash: 8a6b7c42d76ebf8e9c25b660fa094701627d46e71441b0b94da02f5e9234efef
                          • Instruction Fuzzy Hash: 9831A576900629AFCB21DF988C45F9E7BB8FF44751F05046DF901AB211D770ED528BA0
                          Function 000DEE33 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,000DC960,00000001,00000000,00000000), ref: 000DEEBF
                          • GetLastError.KERNEL32(?,?,?,000C712C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000DEECB
                            • Part of subcall function 000DEB17: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C), ref: 000DEB29
                            • Part of subcall function 000DEB17: GetLastError.KERNEL32(?,?,000DEF3B,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C,?,?,?), ref: 000DEB33
                          • CloseHandle.KERNEL32(00000000,00000000,?,?,000DE3C1,?,?,?,?,?,000C712C,?,?,?,?), ref: 000DEF4C
                          Strings
                          • Failed to create elevated cache thread., xrefs: 000DEEF9
                          • Failed to pump messages in child process., xrefs: 000DEF23
                          • c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp, xrefs: 000DEEEF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                          • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp
                          • API String ID: 3606931770-2488980631
                          • Opcode ID: 0f164ea5c673608e20af1b9a072c670cecfefae367c1de750cf92e4d88553bd6
                          • Instruction ID: bc90344b18b2aa4b091bf6ee59f5ece120b62d7314fc0d23bac2b3aa9d2e7102
                          • Opcode Fuzzy Hash: 0f164ea5c673608e20af1b9a072c670cecfefae367c1de750cf92e4d88553bd6
                          • Instruction Fuzzy Hash: EE41B4B6D01259AF8B45DFA9D8859DEBBF4BF48710B11412AF908EB340E770A9418FA4
                          Function 000C902C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,000C75EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 000C903E
                          • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,000C75EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 000C911D
                          Strings
                          • Failed to get variable: %ls, xrefs: 000C907F
                          • Failed to get value as string for variable: %ls, xrefs: 000C910C
                          • *****, xrefs: 000C90D9, 000C90E6
                          • Failed to get unformatted string., xrefs: 000C90AE
                          • Failed to format value '%ls' of variable: %ls, xrefs: 000C90E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                          • API String ID: 3168844106-2873099529
                          • Opcode ID: f70b6412b74077cfd73c196cadcf1c89489622b589bbc42605b9e874c447318b
                          • Instruction ID: 326c6a45dd18b61a12af0ddf131e5dc24d46e4dc4d140835b4b64be9f034178c
                          • Opcode Fuzzy Hash: f70b6412b74077cfd73c196cadcf1c89489622b589bbc42605b9e874c447318b
                          • Instruction Fuzzy Hash: 8431B13294062AFFCF225F90CC0AFDE7AA5BF14725F144128FD046A151D7B5EA909BD1
                          Function 000D0C06 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000D0C41
                            • Part of subcall function 000C383E: SetFileAttributesW.KERNEL32(000EACC4,00000080,00000000,000EACC4,000000FF,00000000,?,?,000EACC4), ref: 000C386D
                            • Part of subcall function 000C383E: GetLastError.KERNEL32(?,?,000EACC4), ref: 000C3877
                            • Part of subcall function 000C16A9: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,000D0C8C,00000001,00000000,00000095,00000001,2#,00000095,00000000,swidtag,00000001), ref: 000C16C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
                          • String ID: 2#$Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
                          • API String ID: 1428973842-3481144448
                          • Opcode ID: 8d2641e03d5c6943739b76ce29297bcfbf2accba859ef11b4b6aea0cd9724daf
                          • Instruction ID: 75f68d2677853ab5405f53e2952269cd6dd6b7b44b54ea0e27a52e7db5702b23
                          • Opcode Fuzzy Hash: 8d2641e03d5c6943739b76ce29297bcfbf2accba859ef11b4b6aea0cd9724daf
                          • Instruction Fuzzy Hash: 72218D31E10618FFCB15DB99CD42BDDBBB5AF44710F14C27AF408AA262E7719A41DB60
                          Function 001078B5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 001078CB
                          • SysAllocString.OLEAUT32(?), ref: 001078E7
                          • VariantClear.OLEAUT32(?), ref: 0010796E
                          • SysFreeString.OLEAUT32(00000000), ref: 00107979
                          Strings
                          • `<u, xrefs: 00107979
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 001078FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: StringVariant$AllocClearFreeInit
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 760788290-239685051
                          • Opcode ID: 9fd489b74f95cb9849b79aa226ff825933e985d96badeb9aff7e29643f585775
                          • Instruction ID: 325a8afb6969594f99444cf5cffadb095cbdab72ff08f85d577b9bacf927bea6
                          • Opcode Fuzzy Hash: 9fd489b74f95cb9849b79aa226ff825933e985d96badeb9aff7e29643f585775
                          • Instruction Fuzzy Hash: B021B531D00229EFCB11DB64C848EAEBBB8EF45728F154158F985AB290DB70AD41CB90
                          Function 000DAA11 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                          Download Yara Rule
                          APIs
                          • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,?,?,00000000,00000000,?,?,?), ref: 000DAA5C
                          • GetLastError.KERNEL32 ref: 000DAA66
                          • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 000DAAC6
                          Strings
                          • Failed to allocate administrator SID., xrefs: 000DAA42
                          • Failed to initialize ACL., xrefs: 000DAA94
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000DAA8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileInitializeLast
                          • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 669721577-4229290159
                          • Opcode ID: dd4adf196d04a8d8901a9857a623bb40c1dc94769e8c528dc72acc152f5f11c9
                          • Instruction ID: 26997b965e44be8111b99a2a6db2af429ae34ec912c5d0695ea17bbb91b1871d
                          • Opcode Fuzzy Hash: dd4adf196d04a8d8901a9857a623bb40c1dc94769e8c528dc72acc152f5f11c9
                          • Instruction Fuzzy Hash: 4021EB37F4031477DB219B999D45F9FBBA8AF45750F118126B940BB281E7B49D00C6A2
                          Function 000C1C2B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,000D5CE7,00000001,feclient.dll,?,00000000,?,?,?,000C67E0), ref: 000C1C66
                          • GetLastError.KERNEL32(?,?,000D5CE7,00000001,feclient.dll,?,00000000,?,?,?,000C67E0,?,?,0010E488,?,00000001), ref: 000C1C72
                          • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,000D5CE7,00000001,feclient.dll,?,00000000,?,?,?,000C67E0,?), ref: 000C1CAD
                          • GetLastError.KERNEL32(?,?,000D5CE7,00000001,feclient.dll,?,00000000,?,?,?,000C67E0,?,?,0010E488,?,00000001), ref: 000C1CB7
                          Strings
                          • crypt32.dll, xrefs: 000C1C2F
                          • c:\agent\_work\35\s\wix\src\libs\dutil\dirutil.cpp, xrefs: 000C1CDB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CurrentDirectoryErrorLast
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\dirutil.cpp$crypt32.dll
                          • API String ID: 152501406-2998262101
                          • Opcode ID: cdd655cf559eb133f66e9b6cc142c1403037c749a09368fcbf4f78aa9becb022
                          • Instruction ID: 8ca777ffd711667130c3c27a0aa8578e7088df0aa620cefbe87c59adde3dd4d2
                          • Opcode Fuzzy Hash: cdd655cf559eb133f66e9b6cc142c1403037c749a09368fcbf4f78aa9becb022
                          • Instruction Fuzzy Hash: DE11B777A41236A7D7219B998CC4FDEB6E8AF06750B11012DFE41EB242E771DC0086E0
                          Function 000E2693 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E2730
                          • Failed to write during cabinet extraction., xrefs: 000E273A
                          • Unexpected call to CabWrite()., xrefs: 000E26C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastWrite_memcpy_s
                          • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 1970631241-902661353
                          • Opcode ID: 1e50ceffe9c570edb107a5b35830030f68966108d9baff6d91a2000f18896325
                          • Instruction ID: a9430951d10018ade0ddbf719ca0b5827dfa5c7d963392f887fca7695a732fac
                          • Opcode Fuzzy Hash: 1e50ceffe9c570edb107a5b35830030f68966108d9baff6d91a2000f18896325
                          • Instruction Fuzzy Hash: 2121D176604140AFCB05DF6ADC84D997BEDEF88354B114159FE54E7256E771E9008B20
                          Function 000FD9B7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(00000000,?,000FDAC4,00000021,000FDC1E,00000100,00000000,00000000,?,000FDC1E,00000021,FlsSetValue,0012669C,001266A4,00000100), ref: 000FDA78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3664257935-537541572
                          • Opcode ID: 2bbc440e067ece60b630192b523d21a32a8f672a8753bdac22fb18037f2fe6b5
                          • Instruction ID: 5e779d6fbf780bef0b40919186fd11d052a100d506659fce572279f2e7ad8911
                          • Opcode Fuzzy Hash: 2bbc440e067ece60b630192b523d21a32a8f672a8753bdac22fb18037f2fe6b5
                          • Instruction Fuzzy Hash: 87216A32A04128F7C731DF60EC40A7A77EADF42770F240126EA15A3A90D770EE01E6D1
                          Function 000CB7DC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CB7F5
                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,000CC5C6,00000100,000002C0,000002C0,00000100), ref: 000CB80A
                          • GetLastError.KERNEL32(?,000CC5C6,00000100,000002C0,000002C0,00000100), ref: 000CB817
                          Strings
                          • Failed to format variable string., xrefs: 000CB800
                          • Failed to set variable., xrefs: 000CB87C
                          • Failed while searching directory search: %ls, for path: %ls, xrefs: 000CB857
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesErrorFileLastOpen@16
                          • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                          • API String ID: 1811509786-402580132
                          • Opcode ID: 362fdc6c1aeb6170528a3d6b9eb8f805bfaf498427752b5d98b53cc61af81385
                          • Instruction ID: e3a9af83a4f5c8bdcbc5f612a6f34f6afd01644cb0367b7fb8fadd16fce4aecc
                          • Opcode Fuzzy Hash: 362fdc6c1aeb6170528a3d6b9eb8f805bfaf498427752b5d98b53cc61af81385
                          • Instruction Fuzzy Hash: F3110637A40525B7CB265764DC03FAEBA9EAF00360F204229FC51A6190DF719E44DAD1
                          Function 000E275A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69timeCOMMON
                          Download Yara Rule
                          APIs
                          • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 000E27C7
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E27D9
                          • SetFileTime.KERNEL32(?,?,?,?), ref: 000E27EC
                          • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000E23BC,?,?), ref: 000E27FB
                          Strings
                          • Invalid operation for this state., xrefs: 000E27A0
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E2796
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Time$File$CloseDateHandleLocal
                          • String ID: Invalid operation for this state.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 609741386-591499318
                          • Opcode ID: b02c4c651228a5954f3170236210c24bc64ef7542b1dc497858d06213144cfa9
                          • Instruction ID: 26662d1234c51cf8ffb8974c561436bef62fb31516ca27352095d023b69003d0
                          • Opcode Fuzzy Hash: b02c4c651228a5954f3170236210c24bc64ef7542b1dc497858d06213144cfa9
                          • Instruction Fuzzy Hash: FB21D57290452AFFD7509F6ACD088EA7BECFF087207104616F891E65D0D774E951CB90
                          Function 000D6306 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • _memcpy_s.LIBCMT ref: 000D6357
                          • _memcpy_s.LIBCMT ref: 000D636A
                          • _memcpy_s.LIBCMT ref: 000D6385
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _memcpy_s$Heap$AllocateProcess
                          • String ID: Failed to allocate memory for message.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                          • API String ID: 886498622-2225947834
                          • Opcode ID: 632dee79a6475ed458f915c8327bc3f68bed3017d4c219204a464fe4866dd85d
                          • Instruction ID: 307670106f96228b3730aa48a177ab71a144c38ae18cc81756eaef5771a88876
                          • Opcode Fuzzy Hash: 632dee79a6475ed458f915c8327bc3f68bed3017d4c219204a464fe4866dd85d
                          • Instruction Fuzzy Hash: D11154B7500319ABDB019F94CC81DEBB7ADAF14714B00451BFA14DB282DBB5E6548BE0
                          Function 00108228 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseErrorExecuteHandleLastShell
                          • String ID: <$PDu$c:\agent\_work\35\s\wix\src\libs\dutil\shelutil.cpp
                          • API String ID: 3023784893-3984760478
                          • Opcode ID: 7bd57c593e3934e1e19e470934d330815b09e981a5d57a79201502c03fd512f2
                          • Instruction ID: 6b55d3b73f100f621a822f854caed4626ee56d1d09143695dd2401edefb5fd91
                          • Opcode Fuzzy Hash: 7bd57c593e3934e1e19e470934d330815b09e981a5d57a79201502c03fd512f2
                          • Instruction Fuzzy Hash: 4521D3B5E01229ABCB10CF99C944ADEBBF8AF08740F10401AF984E7340E7B09A00CBA0
                          Function 000CB74B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          • SysFreeString.OLEAUT32(00000000), ref: 000CB7C2
                          Strings
                          • `<u, xrefs: 000CB7C2
                          • Failed to copy condition string from BSTR, xrefs: 000CB7AC
                          • Condition, xrefs: 000CB75D
                          • Failed to select condition node., xrefs: 000CB779
                          • Failed to get Condition inner text., xrefs: 000CB792
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
                          • API String ID: 3341692771-266405526
                          • Opcode ID: 1f48776bce3c02cd00976330d7bde42f7598ee3a2b2e9a28abce61be59f8df22
                          • Instruction ID: 8ee7447f8b9ba99e9e01050e9ca41de48a20b0b555cdb531425a5a5bbd8b75f4
                          • Opcode Fuzzy Hash: 1f48776bce3c02cd00976330d7bde42f7598ee3a2b2e9a28abce61be59f8df22
                          • Instruction Fuzzy Hash: A4118831D58229FBDB269750CC47FED7B64EF54751F204268FC00B6190D7B1AE809B80
                          Function 00105B2D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,000C7F43,00000000), ref: 00105B3F
                          • GetProcAddress.KERNEL32(00000000), ref: 00105B46
                          • GetLastError.KERNEL32(?,?,?,000C7F43,00000000), ref: 00105B65
                          Strings
                          • kernel32, xrefs: 00105B39
                          • IsWow64Process2, xrefs: 00105B32
                          • c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00105B86
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorHandleLastModuleProc
                          • String ID: IsWow64Process2$c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp$kernel32
                          • API String ID: 4275029093-2885952187
                          • Opcode ID: 12279f49e1315f86b558e0f4d89532c8f9bac5086804d0dfdb6cf7d462158e92
                          • Instruction ID: 8217d74bc7ba3656efd38ddadea908a742360a1690f206ad5b54050f15aeb469
                          • Opcode Fuzzy Hash: 12279f49e1315f86b558e0f4d89532c8f9bac5086804d0dfdb6cf7d462158e92
                          • Instruction Fuzzy Hash: 3CF09672D4063967D72157969D0EF9F7D99EF04BA0B014504BDC4AB180E7F4ED008AE5
                          Function 000DA8D3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 121sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 000DA93F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                          • API String ID: 3472027048-398165853
                          • Opcode ID: 0aca661341364e1504df419b22e8541b2afacf0c6f7721bd65b7faa2bdd05ef1
                          • Instruction ID: 9ab7f9247cb90f2469af936fd45a4269782ba67d763ada500f2f05c5f5a8c998
                          • Opcode Fuzzy Hash: 0aca661341364e1504df419b22e8541b2afacf0c6f7721bd65b7faa2bdd05ef1
                          • Instruction Fuzzy Hash: 6D31E772B44319BBEB22A6648D52FFFA6AD9F02754F12002AFD04F6342E774DD4056B2
                          Function 000E0503 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 000E0532
                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 000E0541
                          • SetWindowLongW.USER32(?,000000EB,?), ref: 000E0555
                          • DefWindowProcW.USER32(?,?,?,?), ref: 000E0565
                          • GetWindowLongW.USER32(?,000000EB), ref: 000E057F
                          • PostQuitMessage.USER32(00000000), ref: 000E05DE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Window$Long$Proc$MessagePostQuit
                          • String ID:
                          • API String ID: 3812958022-0
                          • Opcode ID: 904ff1ddd9ba5ffeef28614345cb728a4faf21f58488cc1951165d8fb2eab749
                          • Instruction ID: 3692eff457270f9d00cb23a67df2cb0089f0af20a3ba1ddd415018fe428ab390
                          • Opcode Fuzzy Hash: 904ff1ddd9ba5ffeef28614345cb728a4faf21f58488cc1951165d8fb2eab749
                          • Instruction Fuzzy Hash: E921DE32104215AFDF119F69DC48EAF3FA5FF04350F144614FA5AAA2A0C6B0DE909F61
                          Function 000F306E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,000F3065,000F373C), ref: 000F307C
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000F308A
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000F30A3
                          • SetLastError.KERNEL32(00000000,?,000F3065,000F373C), ref: 000F30F5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: dd25e75f886c7270d997ac53e70f3f629e2a782e7f1175931acc2aba960f8f0e
                          • Instruction ID: 1f51b968f723620961294157a577a077be2ca8f68310abd4869c63fed067ba5c
                          • Opcode Fuzzy Hash: dd25e75f886c7270d997ac53e70f3f629e2a782e7f1175931acc2aba960f8f0e
                          • Instruction Fuzzy Hash: 7701283270A3196DA63027757C9AE7B27D4EB01BB4720022BF72040DE1EE914E527144
                          Function 000DE3C1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Unexpected elevated message sent to child process, msg: %u, xrefs: 000DE5BC
                          • c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp, xrefs: 000DE5B0
                          • Failed to save state., xrefs: 000DE489
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandleMutexRelease
                          • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$c:\agent\_work\35\s\wix\src\burn\engine\elevation.cpp
                          • API String ID: 4207627910-149961220
                          • Opcode ID: 9c5c6da88e8b44d9068ef458f2b6757e83b33edef0dab842e65b6275e6057b52
                          • Instruction ID: cdb0c1372fb8b1d3d54d15639f5c84edde50a1658bd7d7fa321935f30b7bec93
                          • Opcode Fuzzy Hash: 9c5c6da88e8b44d9068ef458f2b6757e83b33edef0dab842e65b6275e6057b52
                          • Instruction Fuzzy Hash: 1761A43A100A14EFCB226F84DD01C9ABFB2FF08354715845AFA995A633D732E921EF51
                          Function 0010B092 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • SysFreeString.OLEAUT32(00000000), ref: 0010B1EF
                          • SysFreeString.OLEAUT32(00000000), ref: 0010B1FA
                          • SysFreeString.OLEAUT32(00000000), ref: 0010B205
                          Strings
                          • `<u, xrefs: 0010B1E4
                          • c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 0010B0C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeString$Heap$AllocateProcess
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp
                          • API String ID: 2724874077-2849780082
                          • Opcode ID: 0fea5278792c4623cab22d334d85afe21b68297e07c1a877f8d7e709c835c98f
                          • Instruction ID: f4d3226dc4946f2e29b518c03c18a3269af7ebc4eec4696e1df883e5983b3600
                          • Opcode Fuzzy Hash: 0fea5278792c4623cab22d334d85afe21b68297e07c1a877f8d7e709c835c98f
                          • Instruction Fuzzy Hash: D5517531A0522AEFCB15EBA5DC94FAEB7B8BF44750F154158F941AB191D7B0EE00CBA0
                          Function 000C5ABD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000C5AE5
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000D8D17,00000100,000000B0,00000088,00000410,000002C0), ref: 000C5B1C
                          • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 000C5C0E
                          Strings
                          • BundleUpgradeCode, xrefs: 000C5AC4
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C5B5F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$lstrlen
                          • String ID: BundleUpgradeCode$c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 3790715954-2835200066
                          • Opcode ID: f8700e5e0e4143103eb8b85ca6505e7bfa736b9025018a533802550241819275
                          • Instruction ID: d19f4997fd8cade3aea2cfe72c90870cd1f37df002ebd3a22ef68a6a6a8fc28f
                          • Opcode Fuzzy Hash: f8700e5e0e4143103eb8b85ca6505e7bfa736b9025018a533802550241819275
                          • Instruction Fuzzy Hash: C341923990061AEFCB259F95DC84FAEBBA5EF44711F15456DF801AB250D731AD80CB90
                          Function 001098F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C3FE8: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000DA39F,00000000,00000000,00000000,00000000,00000000), ref: 000C4000
                            • Part of subcall function 000C3FE8: GetLastError.KERNEL32(?,?,?,000DA39F,00000000,00000000,00000000,00000000,00000000), ref: 000C400A
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,001091AE,?,?,?,?,?,?,?,00010000,?), ref: 0010995D
                          • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,001091AE,?,?,?,?), ref: 001099AF
                          • GetLastError.KERNEL32(?,001091AE,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 001099F5
                          • GetLastError.KERNEL32(?,001091AE,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00109A1B
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 00109A3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLast$Write$Pointer
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp
                          • API String ID: 133221148-2091125520
                          • Opcode ID: 200a0d7f5243362e3073ee42e266eba35ea8d749d66e2852f897f462286210b7
                          • Instruction ID: a868ab2163772a4e5205c1bfd4365dd2895459ff6af165672904bb667f14969a
                          • Opcode Fuzzy Hash: 200a0d7f5243362e3073ee42e266eba35ea8d749d66e2852f897f462286210b7
                          • Instruction Fuzzy Hash: 8D415C72A00229FBDB218E94CC55FEE7BA8FF04764F154629FD80A61D1D7B0DD60DAA0
                          Function 000C2F02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(?,00000000,001050F9,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001050F9,000E2DD0,?,00000000), ref: 000C2F48
                          • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001050F9,000E2DD0,?,00000000,0000FDE9,?,000E2DD0), ref: 000C2F54
                            • Part of subcall function 000C5369: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5371
                            • Part of subcall function 000C5369: HeapSize.KERNEL32(00000000,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5378
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp, xrefs: 000C2F78
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp
                          • API String ID: 3662877508-2270866816
                          • Opcode ID: 59e8458686e932886e3643b0af4fc3ed55f7d5c1ac387b3dbce425cf05ce3ec8
                          • Instruction ID: d344c4bdb33cf190567a9012030b9284fd9ac6bfa2c3ad993e813c8605eab3ff
                          • Opcode Fuzzy Hash: 59e8458686e932886e3643b0af4fc3ed55f7d5c1ac387b3dbce425cf05ce3ec8
                          • Instruction Fuzzy Hash: BE31F63120021EAFE7119F658CC4F7E36EDAB557A8B20423DFA519B6B0DBB19C419760
                          Function 000C38CE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,000C3A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DBC87,00000001), ref: 000C38EC
                          • GetLastError.KERNEL32(00000002,?,000C3A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DBC87,00000001,000007D0,00000001,00000001,00000003), ref: 000C38FB
                          • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,000C3A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DBC87,00000001), ref: 000C3994
                          • GetLastError.KERNEL32(?,000C3A1C,00000003,00000001,00000001,000007D0,00000003,00000000,?,000DBC87,00000001,000007D0,00000001,00000001,00000003,000007D0), ref: 000C399E
                            • Part of subcall function 000C3B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 000C3B67
                            • Part of subcall function 000C3B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 000C3B73
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C39BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: File$ErrorFindLastMove$CloseFirst
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 3479031965-3288686069
                          • Opcode ID: d64876c65d9f0aeda87d6485ef6614ae773037ff7fbbcc13f10a5a12779dd135
                          • Instruction ID: 4a54fa6a43f4b6ff03b8df2eceb384a753da43530c98e6463ad4cdb973e879dc
                          • Opcode Fuzzy Hash: d64876c65d9f0aeda87d6485ef6614ae773037ff7fbbcc13f10a5a12779dd135
                          • Instruction Fuzzy Hash: CC31F136A24226ABDB314F158C41FBF76E5EB407A0F16C02EFC44AB250D6F18E4186D0
                          Function 000EC79A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000EC809
                          Strings
                          • Failed to extract payload: %ls from container: %ls, xrefs: 000EC892
                          • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 000EC89E
                          • Failed to extract all payloads from container: %ls, xrefs: 000EC84D
                          • Failed to open container: %ls., xrefs: 000EC7DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                          • API String ID: 1825529933-3891707333
                          • Opcode ID: d9fa555c7a3e0e1aca008d9f8aef13a9bf7bf81feaf3dda01cd36f9bfab187d7
                          • Instruction ID: 64a658b4dd3e1d5733c2860794935282a83147eaa4f8bcce7f1f9446d1e0eab1
                          • Opcode Fuzzy Hash: d9fa555c7a3e0e1aca008d9f8aef13a9bf7bf81feaf3dda01cd36f9bfab187d7
                          • Instruction Fuzzy Hash: 4231E532C00155BFEF21ABE1CD45EDE77A9AF14710F104525F911B7192EB72AA12DB90
                          Function 0010AF8F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • SysFreeString.OLEAUT32(00000000), ref: 0010B072
                          • SysFreeString.OLEAUT32(?), ref: 0010B07D
                          • SysFreeString.OLEAUT32(00000000), ref: 0010B088
                          Strings
                          • `<u, xrefs: 0010B067
                          • c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 0010AFBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeString$Heap$AllocateProcess
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp
                          • API String ID: 2724874077-2849780082
                          • Opcode ID: d6e274562cd69c5cb8a7a6dc6555a84a64fd512f54b3cfaab6663f6d5fe738da
                          • Instruction ID: 06afbd4840c8f163eeaabdff2ebdd50b415fef796b40607effa93feb72778955
                          • Opcode Fuzzy Hash: d6e274562cd69c5cb8a7a6dc6555a84a64fd512f54b3cfaab6663f6d5fe738da
                          • Instruction Fuzzy Hash: AE31A132D0462AFBDB21AB65CC85FDFBB78AF00B50F114164F990AB191D7B0AE018BD1
                          Function 000C3A2B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C3B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 000C3B67
                            • Part of subcall function 000C3B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 000C3B73
                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 000C3B1E
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                            • Part of subcall function 000C5ABD: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000C5AE5
                            • Part of subcall function 000C5ABD: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000D8D17,00000100,000000B0,00000088,00000410,000002C0), ref: 000C5B1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseFindQueryValue$FileFirstOpen
                          • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                          • API String ID: 3397690329-3978359083
                          • Opcode ID: 5cc25543b9d1752d0d602f14ec178fc29571f7c6b4d3f9ee666fa90f0bb44ffa
                          • Instruction ID: 174c94ac079a5b786010f79ba8b98d6b19ddec48452d15566777e257edb7d18f
                          • Opcode Fuzzy Hash: 5cc25543b9d1752d0d602f14ec178fc29571f7c6b4d3f9ee666fa90f0bb44ffa
                          • Instruction Fuzzy Hash: 7531CE71A10209AEDF21AF95CC81FAFBBB5EF04750F15C16EEA00AA051E7719F80CB51
                          Function 000D0CEE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94registryCOMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,000D2323,00000001,00000001,00000001,000D2323,00000000), ref: 000D0D66
                          • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,000D2323,00000001,00000001,00000001,000D2323,00000000,00000001,00000000,?,000D2323,00000001), ref: 000D0D83
                          Strings
                          • Failed to remove update registration key: %ls, xrefs: 000D0DAE
                          • PackageVersion, xrefs: 000D0D47
                          • Failed to format key for update registration., xrefs: 000D0D1C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCompareString
                          • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                          • API String ID: 446873843-3222553582
                          • Opcode ID: c055dcca098feb02e8389a13d06e811f193fcf0ae472ca2ed269ac29f9a2bf1c
                          • Instruction ID: e293c4ec69c7ddcda71eae4427356fe541c8a517f9a8b6e2ae2a1ef3105111d7
                          • Opcode Fuzzy Hash: c055dcca098feb02e8389a13d06e811f193fcf0ae472ca2ed269ac29f9a2bf1c
                          • Instruction Fuzzy Hash: 8B218735D01724BBCB51ABA5CC05FEFBEBAEF44761F104267F814B6291D7716A40CAA0
                          Function 000C36FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON
                          Download Yara Rule
                          APIs
                          • CopyFileW.KERNEL32(00000000,000C6A86,00000000,?,?,00000000,?,000C3818,00000000,000C6A86,00000000,00000000,?,000DA21F,?,?), ref: 000C3717
                          • GetLastError.KERNEL32(?,000C3818,00000000,000C6A86,00000000,00000000,?,000DA21F,?,?,00000001,00000003,000007D0,?,?,?), ref: 000C3725
                          • CopyFileW.KERNEL32(00000000,000C6A86,00000000,000C6A86,00000000,?,000C3818,00000000,000C6A86,00000000,00000000,?,000DA21F,?,?,00000001), ref: 000C3797
                          • GetLastError.KERNEL32(?,000C3818,00000000,000C6A86,00000000,00000000,?,000DA21F,?,?,00000001,00000003,000007D0,?,?,?), ref: 000C37A1
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C37C0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CopyErrorFileLast
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 374144340-3288686069
                          • Opcode ID: c939d751a9010cf6fd0ee535c0777aa5da872b78b4f9aa2311ae58016d5d4b0a
                          • Instruction ID: 456a4372ad1e9410ac3df56f56c35a060e5353f0da00a82cf8a1794573261946
                          • Opcode Fuzzy Hash: c939d751a9010cf6fd0ee535c0777aa5da872b78b4f9aa2311ae58016d5d4b0a
                          • Instruction Fuzzy Hash: DC21FBF67282729BEB301B564C40F7FAAD8EF51B60B11862EFD44DB251D671CE1182D1
                          Function 000EA84B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 000EA8CF
                          • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,000D14BA,00000001,00000100,000001B4,00000000), ref: 000EA91D
                          Strings
                          • Failed to enumerate uninstall key for related bundles., xrefs: 000EA92C
                          • Failed to open uninstall registry key., xrefs: 000EA892
                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 000EA86C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCompareOpenString
                          • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                          • API String ID: 2817536665-2531018330
                          • Opcode ID: bf1916d5ddbcc790ba01de6bfeefffea38bd02760190300c3e433e581ceb29ad
                          • Instruction ID: 863e7ab87c46881a16f617179aab373213b6b4b786ba50ca1c2dc823c139eec3
                          • Opcode Fuzzy Hash: bf1916d5ddbcc790ba01de6bfeefffea38bd02760190300c3e433e581ceb29ad
                          • Instruction Fuzzy Hash: 58213836A00168FFDF219B91DC85FEEBEB9EB09360F214224F810B60A1C7756E90D691
                          Function 000EEC8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000EED21
                          • ReleaseMutex.KERNEL32(?), ref: 000EED4F
                          • SetEvent.KERNEL32(?), ref: 000EED58
                          Strings
                          • Failed to allocate buffer., xrefs: 000EECD0
                          • c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 000EECC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                          • String ID: Failed to allocate buffer.$c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp
                          • API String ID: 944053411-309114316
                          • Opcode ID: fcd9d13f86df8c0cbd71094286ec7d14e0ded9fbf6432fd440dd7df097cec3a4
                          • Instruction ID: d8faf607c3788c2ea0e8310ed26e6b743d467bd8044671335f46bca360483ad6
                          • Opcode Fuzzy Hash: fcd9d13f86df8c0cbd71094286ec7d14e0ded9fbf6432fd440dd7df097cec3a4
                          • Instruction Fuzzy Hash: 0721E5B460064ABFDB109F68DC45A99B7F5FF08314F208A29F960A7291C7B1A990CB50
                          Function 00108EB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,000E85D5,00000000,?), ref: 00108EC6
                          • GetLastError.KERNEL32(?,?,000E85D5,00000000,?,?,?,?,?,?,?,?,?,000E89E5,?,?), ref: 00108ED4
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,000E85D5,00000000,?), ref: 00108F0E
                          • GetLastError.KERNEL32(?,?,000E85D5,00000000,?,?,?,?,?,?,?,?,?,000E89E5,?,?), ref: 00108F18
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\svcutil.cpp
                          • API String ID: 355237494-940845967
                          • Opcode ID: 0abac6a44f3a3f22224addebde49b39f53b33c62480e09dbf398a744b319b78b
                          • Instruction ID: 34ad40ee42f9ac636ed6b0ee7cfaeb0867f4b98f06e335a62c7a7293fe55ecbc
                          • Opcode Fuzzy Hash: 0abac6a44f3a3f22224addebde49b39f53b33c62480e09dbf398a744b319b78b
                          • Instruction Fuzzy Hash: D721F336908136BBD72066B58D09F9B696AEF54B60F124115BDC0FB181EFF48E0092E1
                          Function 00107809 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 0010781C
                          • VariantInit.OLEAUT32(?), ref: 00107828
                          • VariantClear.OLEAUT32(?), ref: 0010789C
                          • SysFreeString.OLEAUT32(00000000), ref: 001078A7
                            • Part of subcall function 00107A54: SysAllocString.OLEAUT32(?), ref: 00107A69
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocVariant$ClearFreeInit
                          • String ID: `<u
                          • API String ID: 347726874-3367579956
                          • Opcode ID: 1ac7fee14ff9170f50c2dbeb1a1f8815bf7455cfc6f18431b11e5b11fa0a92a9
                          • Instruction ID: b8a351b47c7bf6dfbfb3dafeaa9c605b342202587efc0bf9180b8b11c0f0d55d
                          • Opcode Fuzzy Hash: 1ac7fee14ff9170f50c2dbeb1a1f8815bf7455cfc6f18431b11e5b11fa0a92a9
                          • Instruction Fuzzy Hash: DE213A71E01219EFCB14DFA4C848EAEBBB8BF44715F144599E842AB2A0D770EE45CB90
                          Function 000CB53B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Failed to find variable., xrefs: 000CB5B7
                          • Failed to read next symbol., xrefs: 000CB5E6
                          • Failed to parse condition '%ls' at position: %u, xrefs: 000CB57C
                          • c:\agent\_work\35\s\wix\src\burn\engine\condition.cpp, xrefs: 000CB56C, 000CB5AD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _memcpy_s
                          • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$c:\agent\_work\35\s\wix\src\burn\engine\condition.cpp
                          • API String ID: 2001391462-542558778
                          • Opcode ID: f70fb515bc18a3a77c2a7ca74ef94ff305f3514dbdfcae5b511acdef424cf5f2
                          • Instruction ID: d7e40642f13b4c955747f13914c6b384b22f84e4c682aacf5a5f54eda8a5a957
                          • Opcode Fuzzy Hash: f70fb515bc18a3a77c2a7ca74ef94ff305f3514dbdfcae5b511acdef424cf5f2
                          • Instruction Fuzzy Hash: B1112737680A20B7DB252F689D47FDF7B44AB19710F004618FA006E1D3CBA2DB5087E1
                          Function 000D6737 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0010E500,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,000D705A), ref: 000D6783
                          Strings
                          • Failed to write message type to pipe., xrefs: 000D67C5
                          • c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp, xrefs: 000D67BB
                          • Failed to allocate message to write., xrefs: 000D6762
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$c:\agent\_work\35\s\wix\src\burn\engine\pipe.cpp
                          • API String ID: 3934441357-1022869799
                          • Opcode ID: d669068a5cb8e6231e6c8d644dc88c24feead5c09a2e171123df21a54cd6031d
                          • Instruction ID: f02412ed97fde6cc0d43aff1420c11b40a40582d99b775dfaf8ba01029e9d018
                          • Opcode Fuzzy Hash: d669068a5cb8e6231e6c8d644dc88c24feead5c09a2e171123df21a54cd6031d
                          • Instruction Fuzzy Hash: 5E11AC76944229BBCB219F84CD09EDE7EB9EF40750F110166F800B6380E772AE90DAB0
                          Function 000CBB17 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000CBB39
                          Strings
                          • Failed to set variable., xrefs: 000CBB98
                          • Failed get file version., xrefs: 000CBB79
                          • File search: %ls, did not find path: %ls, xrefs: 000CBBA4
                          • Failed to format path string., xrefs: 000CBB44
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open@16
                          • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                          • API String ID: 3613110473-2458530209
                          • Opcode ID: 21a8c2fd7a98e315dc734b896b58d47183d25fca1ec6462cd5480f1392d9957b
                          • Instruction ID: e8352074d0cd1f5bd94b1dbc367321b28ccb4c26bdbd086a92eaa3cb6a0cd5d7
                          • Opcode Fuzzy Hash: 21a8c2fd7a98e315dc734b896b58d47183d25fca1ec6462cd5480f1392d9957b
                          • Instruction Fuzzy Hash: BD115E76D0012CBBCF126B948C42EDEFB79AF14760F10816AF90066152D7B29E509B91
                          Function 000D9E44 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,000DAA3C,0000001A,?,?,00000000,00000000), ref: 000D9E8D
                          • GetLastError.KERNEL32(?,?,000DAA3C,0000001A,?,?,00000000,00000000,?,?,?), ref: 000D9E97
                          Strings
                          • Failed to allocate memory for well known SID., xrefs: 000D9E75
                          • Failed to create well known SID., xrefs: 000D9EC5
                          • c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp, xrefs: 000D9E6B, 000D9EBB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                          • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$c:\agent\_work\35\s\wix\src\burn\engine\cache.cpp
                          • API String ID: 2186923214-614929094
                          • Opcode ID: 7ba82dec93b64b65c424d8684fac02325c39dd2ffd0a9dfe9b4eb926d2e50f30
                          • Instruction ID: be21ab53cf44c6264a8f545f928b53e27e7d936009591aa303a98b3990687216
                          • Opcode Fuzzy Hash: 7ba82dec93b64b65c424d8684fac02325c39dd2ffd0a9dfe9b4eb926d2e50f30
                          • Instruction Fuzzy Hash: 4F012133645B34B7D721A7965D06EEF6E989F81B60B21001AFC04AB282EEB48D4085F0
                          Function 000EF7AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 000EF7D9
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EF803
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000EF9D1,00000000,?,?,?,00000000,00000000), ref: 000EF80B
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 000EF82F
                          • Failed while waiting for download., xrefs: 000EF839
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessageMultipleObjectsPeekWait
                          • String ID: Failed while waiting for download.$c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp
                          • API String ID: 435350009-3822374258
                          • Opcode ID: 391e171fb911ef06ff15a52178a0c784dbf02bd3f1cc594bda14a3a181131d19
                          • Instruction ID: fb0b3c2bb14f36b2be2bc5e54480f833e66c76bf7b726f089afb3bcc70afe9b9
                          • Opcode Fuzzy Hash: 391e171fb911ef06ff15a52178a0c784dbf02bd3f1cc594bda14a3a181131d19
                          • Instruction Fuzzy Hash: 29014C33A452767BE7205AAAAD09DEFBEDCEB04750F010131FA44FB1C0DAB09D0085E4
                          Function 000C7BE3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • GetComputerNameW.KERNEL32(?,00000010), ref: 000C7C11
                          • GetLastError.KERNEL32 ref: 000C7C1B
                          Strings
                          • Failed to get computer name., xrefs: 000C7C49
                          • Failed to set variant value., xrefs: 000C7C62
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C7C3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ComputerErrorLastName
                          • String ID: Failed to get computer name.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 3560734967-1566695098
                          • Opcode ID: eeaa08546fc43fd6fcc794ed14e99cb6c5651dc28f505d0930dbcf7184b51a1f
                          • Instruction ID: c00361165beec8b4ca212c7f16b81a35c61f4155a24e2080559e911db0d7a2ab
                          • Opcode Fuzzy Hash: eeaa08546fc43fd6fcc794ed14e99cb6c5651dc28f505d0930dbcf7184b51a1f
                          • Instruction Fuzzy Hash: C6010C33A4462967D7109BA59D45FDEB7E8AF08710F01002EFD45FB2C1DAB0AE458AE4
                          Function 000C849F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 000C84D8
                          • GetLastError.KERNEL32 ref: 000C84E2
                          Strings
                          • Failed to get temp path., xrefs: 000C8510
                          • Failed to set variant value., xrefs: 000C852C
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C8506
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastPathTemp
                          • String ID: Failed to get temp path.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 1238063741-2542263510
                          • Opcode ID: 0dc26e0b922cf93546736c7c3d431e1c9d6c0cb40e563f2445f7dc2c191290b1
                          • Instruction ID: 729e813a4f192c4f1d4b9b4852ad9478995ad0eb94c494d3bb5b36d5347099fb
                          • Opcode Fuzzy Hash: 0dc26e0b922cf93546736c7c3d431e1c9d6c0cb40e563f2445f7dc2c191290b1
                          • Instruction Fuzzy Hash: E70126B6E8163967D720ABA49C0AF9E77985F00710F104169FD44FB2C2EEF0AE4487D9
                          Function 000C7B4B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?), ref: 000C7B5D
                            • Part of subcall function 00105C35: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,000C7B69,00000000), ref: 00105C4A
                            • Part of subcall function 00105C35: GetProcAddress.KERNEL32(00000000), ref: 00105C51
                            • Part of subcall function 00105C35: GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105C6C
                            • Part of subcall function 001082D9: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00108306
                          Strings
                          • Failed to get shell folder., xrefs: 000C7B91
                          • Failed to get 64-bit folder., xrefs: 000C7BA7
                          • Failed to set variant value., xrefs: 000C7BC1
                          • c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp, xrefs: 000C7B87
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                          • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$c:\agent\_work\35\s\wix\src\burn\engine\variable.cpp
                          • API String ID: 2084161155-3288392149
                          • Opcode ID: 98f326134a12c20979fdd3a4e3953b9e08f1b0cf6c3c9619264e85807d39fd47
                          • Instruction ID: d30127437f1e65d8a8c517b4be83260d411408ad9fe5d50b2d93a9d15b2149d7
                          • Opcode Fuzzy Hash: 98f326134a12c20979fdd3a4e3953b9e08f1b0cf6c3c9619264e85807d39fd47
                          • Instruction Fuzzy Hash: 2A01D632944228FBDF226B90CC07FDE3AADEF10760F204058F845B6092DBB59E80DB90
                          Function 000C383E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C3B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 000C3B67
                            • Part of subcall function 000C3B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 000C3B73
                          • SetFileAttributesW.KERNEL32(000EACC4,00000080,00000000,000EACC4,000000FF,00000000,?,?,000EACC4), ref: 000C386D
                          • GetLastError.KERNEL32(?,?,000EACC4), ref: 000C3877
                          • DeleteFileW.KERNEL32(000EACC4,00000000,000EACC4,000000FF,00000000,?,?,000EACC4), ref: 000C3897
                          • GetLastError.KERNEL32(?,?,000EACC4), ref: 000C38A1
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C38BC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 3967264933-3288686069
                          • Opcode ID: c8675651b80c118f571e6522e72906f5dedbfe3d3cd2d73ec0c279f1134e7dbb
                          • Instruction ID: 38d11bedbbee617b83f25bd088ac236a7a97589fa70a2bf6f4b58eb9440310d9
                          • Opcode Fuzzy Hash: c8675651b80c118f571e6522e72906f5dedbfe3d3cd2d73ec0c279f1134e7dbb
                          • Instruction Fuzzy Hash: 73018032A11736A7DB315B669D09F6FAED8AF007A4F018228FD84E61D1DB75CE0485E1
                          Function 00105B97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,000C6BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00105BA3
                          • GetLastError.KERNEL32(?,000C6BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00105BB1
                          • GetExitCodeProcess.KERNEL32(000000FF,?), ref: 00105BF6
                          • GetLastError.KERNEL32(?,000C6BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00105C00
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00105BD5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\procutil.cpp
                          • API String ID: 590199018-853185775
                          • Opcode ID: f49b91456c05fa531683e9371c4a64f32264e4af198196114d9fe147e94c14ef
                          • Instruction ID: aff92225243334f555d221bea3330c762513eac4f94bcf473587d3d5a157703c
                          • Opcode Fuzzy Hash: f49b91456c05fa531683e9371c4a64f32264e4af198196114d9fe147e94c14ef
                          • Instruction Fuzzy Hash: 4301A136940A35A7D7205B558D09AAB7F9BEB00770F128611FD98AF2C0D7B49C409ED5
                          Function 000EF41B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000EF430
                          • LeaveCriticalSection.KERNEL32(?), ref: 000EF475
                          • SetEvent.KERNEL32(?,?,?,?), ref: 000EF489
                          Strings
                          • Failed to get state during job modification., xrefs: 000EF449
                          • Failure while sending progress during BITS job modification., xrefs: 000EF464
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterEventLeave
                          • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                          • API String ID: 3094578987-1258544340
                          • Opcode ID: 976fec229b3fe0ed612e4a63896f8166e8f4012e9fb6ffc6e0b1bf506717ad39
                          • Instruction ID: a13b12137f9032409e03ec994439fb0853eb0b734d0dac1eff1e1ce8525b3947
                          • Opcode Fuzzy Hash: 976fec229b3fe0ed612e4a63896f8166e8f4012e9fb6ffc6e0b1bf506717ad39
                          • Instruction Fuzzy Hash: 560124B6600666FFCB169B66C848AAFB7ACFF14324B004225F405E7680D7B0F950CBD0
                          Function 000EF203 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,000EF95B,?,?,?,?,?,00000000,00000000,?), ref: 000EF21D
                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,000EF95B,?,?,?,?,?,00000000,00000000,?), ref: 000EF228
                          • GetLastError.KERNEL32(?,000EF95B,?,?,?,?,?,00000000,00000000,?), ref: 000EF235
                          Strings
                          • Failed to create BITS job complete event., xrefs: 000EF263
                          • c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 000EF259
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateCriticalErrorEventInitializeLastSection
                          • String ID: Failed to create BITS job complete event.$c:\agent\_work\35\s\wix\src\burn\engine\bitsengine.cpp
                          • API String ID: 3069647169-945241457
                          • Opcode ID: 84d38ac0d50b0cc1c0b12ac712e6509a5240cc831f75edbc280581499e15387b
                          • Instruction ID: b0829c61a6f9102ed0acbc6e7c25c0fb3430b6a023e943647f3ef1879f77fa88
                          • Opcode Fuzzy Hash: 84d38ac0d50b0cc1c0b12ac712e6509a5240cc831f75edbc280581499e15387b
                          • Instruction Fuzzy Hash: 80017576541632AFC3109F9BD805A86BFD8FF05760B01412AFE48E7641D7B098508BE4
                          Function 000EF68D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,000EF7F9), ref: 000EF6A1
                          • LeaveCriticalSection.KERNEL32(00000008,?,000EF7F9), ref: 000EF6E6
                          • SetEvent.KERNEL32(?,?,000EF7F9), ref: 000EF6FA
                          Strings
                          • Failure while sending progress., xrefs: 000EF6D5
                          • Failed to get BITS job state., xrefs: 000EF6BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterEventLeave
                          • String ID: Failed to get BITS job state.$Failure while sending progress.
                          • API String ID: 3094578987-2876445054
                          • Opcode ID: c741bed7d4eae7daf4375e6a719a35ecd8d73567cd99571898c568a7aa9e34d2
                          • Instruction ID: 3ae481b5803785e0869673252c74ab8f3633d0dcbda7c30be07f3aa01ee53927
                          • Opcode Fuzzy Hash: c741bed7d4eae7daf4375e6a719a35ecd8d73567cd99571898c568a7aa9e34d2
                          • Instruction Fuzzy Hash: 8201D472A00622FFC7169B57E8899AEBBACFF443247100125F505E7620DBB0ED54CBD4
                          Function 00106269 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00106294
                          • GetLastError.KERNEL32(?,000C66AA,00000001,?,?,000C6227,?,?,?,?,000C712C,?,?,?,?), ref: 001062A3
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\srputil.cpp, xrefs: 001062C4
                          • SRSetRestorePointW, xrefs: 00106289
                          • srclient.dll, xrefs: 00106272
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorLastProc
                          • String ID: SRSetRestorePointW$c:\agent\_work\35\s\wix\src\libs\dutil\srputil.cpp$srclient.dll
                          • API String ID: 199729137-674772323
                          • Opcode ID: 0123198ff1958045083de748561b1112e60968e9beb2644a6c3040d63569e27e
                          • Instruction ID: f880d9e91236b05514df911eee24f86c63c9f13048f158f7152f72d7036f866a
                          • Opcode Fuzzy Hash: 0123198ff1958045083de748561b1112e60968e9beb2644a6c3040d63569e27e
                          • Instruction Fuzzy Hash: D601A93294163157D73127959D0AB9A39949F21760F410135FD84BA6D2EBF0CCB186D6
                          Function 000F982A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E5DE2EA8,?,?,00000000,0010D94A,000000FF,?,000F97FD,000F98EA,?,000F97D1,00000000), ref: 000F985F
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000F9871
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,0010D94A,000000FF,?,000F97FD,000F98EA,?,000F97D1,00000000), ref: 000F9893
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: c54d1e65f08b9f7fb7e5ad394aaf8a4fe43e1fb0b89552da02283c50567b6424
                          • Instruction ID: c6433c35264a2a14a3a498a0f857bc85a482348eaf71ded9cd197deb5748f818
                          • Opcode Fuzzy Hash: c54d1e65f08b9f7fb7e5ad394aaf8a4fe43e1fb0b89552da02283c50567b6424
                          • Instruction Fuzzy Hash: 5201D671900629AFDB158F40DC09FBEBBF8FB44B65F000629F812A2AD0DBF59840CA90
                          Function 000C2C89 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C2CCF
                          • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C2CDB
                            • Part of subcall function 000C5369: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5371
                            • Part of subcall function 000C5369: HeapSize.KERNEL32(00000000,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5378
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp, xrefs: 000C2CFF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp
                          • API String ID: 3662877508-2270866816
                          • Opcode ID: bd9dda65e3f213a913b4ffaba2860a5489ddd563514276fd7484cbb9ba0375e7
                          • Instruction ID: a3601283c3d087eee68ee5a2e06c261375526c4d35dbb7cc0348b993d8bbd9d2
                          • Opcode Fuzzy Hash: bd9dda65e3f213a913b4ffaba2860a5489ddd563514276fd7484cbb9ba0375e7
                          • Instruction Fuzzy Hash: A7312C32600226ABD7308F65CC84FAE3BD5AF65770B11022DFC12ABAA0DA71DC40D7D1
                          Function 000CA725 Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,000CA8E4,000CB431,?,000CB431,?,?,000CB431,?,?), ref: 000CA745
                          • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,000CA8E4,000CB431,?,000CB431,?,?,000CB431,?,?), ref: 000CA74D
                          • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,000CA8E4,000CB431,?,000CB431,?), ref: 000CA79C
                          • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,000CA8E4,000CB431,?,000CB431,?), ref: 000CA7FE
                          • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,000CA8E4,000CB431,?,000CB431,?), ref: 000CA82B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString$lstrlen
                          • String ID:
                          • API String ID: 1657112622-0
                          • Opcode ID: 591cc9176aaea0adff09acc5dcd185f0736c10d9e02856838d11f020f4e21883
                          • Instruction ID: 667c6c78d50c7281b762987dc60bd3a8dbd819dddd8e5a8573eedf17417f06b2
                          • Opcode Fuzzy Hash: 591cc9176aaea0adff09acc5dcd185f0736c10d9e02856838d11f020f4e21883
                          • Instruction Fuzzy Hash: 1A319332B0410CBFCF218F58CC48EAE3FAAFB4A758F144519F90997111C6709D91DB62
                          Function 000C91B3 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(000C7083,WixBundleOriginalSource,?,?,000DC258,840F01E8,WixBundleOriginalSource,?,0012EBC0,?,00000000,000C710B,00000001,?,?,000C710B), ref: 000C91BF
                          • LeaveCriticalSection.KERNEL32(000C7083,000C7083,00000000,00000000,?,?,000DC258,840F01E8,WixBundleOriginalSource,?,0012EBC0,?,00000000,000C710B,00000001,?), ref: 000C9226
                          Strings
                          • Failed to get value of variable: %ls, xrefs: 000C91F9
                          • Failed to get value as string for variable: %ls, xrefs: 000C9215
                          • WixBundleOriginalSource, xrefs: 000C91BB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                          • API String ID: 3168844106-30613933
                          • Opcode ID: eac0e916b8773ef6492eb4c3a68ef0c70a4d3bcb9977b9c6f3dd635261cf41dc
                          • Instruction ID: d8780f53d4b9d8fffb628ae7b1e799e9e9a151824619244a730cae807bf40697
                          • Opcode Fuzzy Hash: eac0e916b8773ef6492eb4c3a68ef0c70a4d3bcb9977b9c6f3dd635261cf41dc
                          • Instruction Fuzzy Hash: 22018B32D4052AFBCF265F40CC09F8E7AA5EB19764F148128FC44AA221C376EE509BD4
                          Function 000EEB85 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,00000000,?,00000000,?,000EEB7D,00000000), ref: 000EEBA0
                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000EEB7D,00000000), ref: 000EEBAC
                          • CloseHandle.KERNEL32(0010E518,00000000,?,00000000,?,000EEB7D,00000000), ref: 000EEBB9
                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000EEB7D,00000000), ref: 000EEBC6
                          • UnmapViewOfFile.KERNEL32(0010E4E8,00000000,?,000EEB7D,00000000), ref: 000EEBD5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseHandle$FileUnmapView
                          • String ID:
                          • API String ID: 260491571-0
                          • Opcode ID: 1114b3673c7232725f73382d3843045032dac7af0726155fde3f7454ff66cbbe
                          • Instruction ID: 41564977278c2b323fa530d8c22e2fb68e006d6e3ea6b7f6084dc353fc58f562
                          • Opcode Fuzzy Hash: 1114b3673c7232725f73382d3843045032dac7af0726155fde3f7454ff66cbbe
                          • Instruction Fuzzy Hash: 5E01EF32401B99DFCB716FA6D88081BFBE9AF50711315883EE59B62921C3B1A890DF90
                          Function 0010BC87 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 0010BD94
                          • GetLastError.KERNEL32 ref: 0010BD9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Time$ErrorFileLastSystem
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\timeutil.cpp$clbcatq.dll
                          • API String ID: 2781989572-1748961360
                          • Opcode ID: 882fdd97d26cb0deb7adcbb0f727775465673d055a46548f6150ebfb2d5dd09b
                          • Instruction ID: 8c160a8220954a22aea57a31d6a8ffa25ea4db70a1432b56e6a73848c632f767
                          • Opcode Fuzzy Hash: 882fdd97d26cb0deb7adcbb0f727775465673d055a46548f6150ebfb2d5dd09b
                          • Instruction Fuzzy Hash: EF41F471A4421AA6DB24ABF88D85BFEF675FF50B04F044129B681A72D1DBB4CE0083A1
                          Function 00107C84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(000002C0), ref: 00107C9E
                          • SysAllocString.OLEAUT32(?), ref: 00107CAE
                          • VariantClear.OLEAUT32(?), ref: 00107D8D
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00107CC6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Variant$AllocClearInitString
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 2213243845-465705221
                          • Opcode ID: 2cee95cfa6b5bb4db1d5c76b6019c97c6a3ea0d16d61545afa45817ea0883180
                          • Instruction ID: f9dad1ad2e969e2504d37ae4003cf55497d21b4cacfe402039045c73e9c1debc
                          • Opcode Fuzzy Hash: 2cee95cfa6b5bb4db1d5c76b6019c97c6a3ea0d16d61545afa45817ea0883180
                          • Instruction Fuzzy Hash: 1341A475D04226ABCB119FE5C888EBEBBB8AF05720F0545A5FC45EB291D770ED00CBA0
                          Function 000C5711 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000EA8B0), ref: 000C576C
                          • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000EA8B0,00000000), ref: 000C578A
                          • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,000EA8B0,00000000,00000000,00000000), ref: 000C57E0
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C57B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Enum$InfoQuery
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 73471667-1760534440
                          • Opcode ID: d6a625ff5cef327cbafe74111c7d2ea9785866645efe98406bb422b30fc9e6d2
                          • Instruction ID: 59d62d86b34c3eb5c4d4155c3b2f348a131897097cb0f9bb0afd9eb5eafe85df
                          • Opcode Fuzzy Hash: d6a625ff5cef327cbafe74111c7d2ea9785866645efe98406bb422b30fc9e6d2
                          • Instruction Fuzzy Hash: 7731A37E905929FBDB218B94DC84FAFBBACEF04751F114169B901B7110DB71AE8096E0
                          Function 0010C8CD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0010C3AA: lstrlenW.KERNEL32(00000100,?,?,?,0010C74A,000002C0,00000100,00000100,00000100,?,?,?,000E982C,?,?,000001BC), ref: 0010C3CF
                          • RegCloseKey.ADVAPI32(00000000,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 0010C9B2
                          • RegCloseKey.ADVAPI32(00000001,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 0010C9CC
                            • Part of subcall function 000C54AE: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000D22E9,?,00000000,00020006), ref: 000C54D3
                            • Part of subcall function 000C5D90: RegSetValueExW.ADVAPI32(00020006,00114178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000D1017,00000000,?,00020006), ref: 000C5DC3
                            • Part of subcall function 000C5D90: RegDeleteValueW.ADVAPI32(00020006,00114178,00000000,?,?,000D1017,00000000,?,00020006,?,00114178,00020006,00000000,?,?,?), ref: 000C5DF3
                            • Part of subcall function 000C5D42: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,000D0F6F,00114178,Resume,00000005,?,00000000,00000000,00000000), ref: 000C5D57
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Value$Close$CreateDeletelstrlen
                          • String ID: %ls\%ls$crypt32.dll
                          • API String ID: 3924016894-1754266218
                          • Opcode ID: 8897dbe61915eab4ad0f2680480e39ab388e9a33c405569cc908ed4cdd79f599
                          • Instruction ID: 96f21078afe162228c2480c3cbcb8dc97b80353732df1c4e4a834ab82a252c1c
                          • Opcode Fuzzy Hash: 8897dbe61915eab4ad0f2680480e39ab388e9a33c405569cc908ed4cdd79f599
                          • Instruction Fuzzy Hash: C4311972C00129BFCF229F98CD809EEBBB9EF04358B04426AF95076121D7719E60AFD0
                          Function 000EA5B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,000EA8EC,00000000,00000000), ref: 000EA66D
                          Strings
                          • Failed to initialize package from related bundle id: %ls, xrefs: 000EA653
                          • Failed to ensure there is space for related bundles., xrefs: 000EA620
                          • Failed to open uninstall key for potential related bundle: %ls, xrefs: 000EA5DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseOpen
                          • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                          • API String ID: 47109696-1717420724
                          • Opcode ID: 838e7b3d2818a21292295830202eedf02e12f6ea00787a8907725b369c7752a6
                          • Instruction ID: e66c75472aa86294a016bce2373ba5f2dbcdfb7ea00c58e0aef3fd5a3626439b
                          • Opcode Fuzzy Hash: 838e7b3d2818a21292295830202eedf02e12f6ea00787a8907725b369c7752a6
                          • Instruction Fuzzy Hash: AE219D32A00659BFDF129B41CD06FEE7A79EB1A310F144155F900B6161E771BA60EB92
                          Function 000C52AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,000C1EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C1DFD), ref: 000C52C9
                          • HeapReAlloc.KERNEL32(00000000,?,000C1EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,000C1DFD,000001C7,00000100,?,80004005,00000000), ref: 000C52D0
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                            • Part of subcall function 000C5369: GetProcessHeap.KERNEL32(00000000,000001C7,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5371
                            • Part of subcall function 000C5369: HeapSize.KERNEL32(00000000,?,000C2CA9,000001C7,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5378
                          • _memcpy_s.LIBCMT ref: 000C531C
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\memutil.cpp, xrefs: 000C535D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\memutil.cpp
                          • API String ID: 3406509257-3234800955
                          • Opcode ID: 50ea50cefb74883b9bfaab9c015bdd51a9be25fafc3190528a5fcbbab8e76308
                          • Instruction ID: 724fccae187f987d982f3037f9e0e0a1e178597fb65def041fec0804e3a7a467
                          • Opcode Fuzzy Hash: 50ea50cefb74883b9bfaab9c015bdd51a9be25fafc3190528a5fcbbab8e76308
                          • Instruction Fuzzy Hash: 41110A36500D99BBCB216F649C44FAE3A99AF403A1B05471CF8149B152D7B1EED092D0
                          Function 0010BEBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 0010BF01
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 0010BF29
                          • GetLastError.KERNEL32 ref: 0010BF33
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\inetutil.cpp, xrefs: 0010BF54
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastTime$FileSystem
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\inetutil.cpp
                          • API String ID: 1528435940-3624184575
                          • Opcode ID: e33f0c2b3479f2da400948a9e459fbc276e54b8cd1e6dcc20c246dc1a74d71a1
                          • Instruction ID: e00977530cbb9b7b01e1d2b1f870ce01e15190ba70950481f0ff069f15712721
                          • Opcode Fuzzy Hash: e33f0c2b3479f2da400948a9e459fbc276e54b8cd1e6dcc20c246dc1a74d71a1
                          • Instruction Fuzzy Hash: 33119673A0513A7BD7209BA98D49BAFBBE8AF04750F010525BE45F7280D7B0DD048AE1
                          Function 0010586F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(000E2DD0,00000000,00000000,?,?,?,0010511D,000E2DD0,000E2DD0,?,00000000,0000FDE9,?,000E2DD0,8007139F,Invalid operation for this state.), ref: 00105881
                          • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,0010511D,000E2DD0,000E2DD0,?,00000000,0000FDE9,?,000E2DD0,8007139F), ref: 001058BD
                          • GetLastError.KERNEL32(?,?,0010511D,000E2DD0,000E2DD0,?,00000000,0000FDE9,?,000E2DD0,8007139F,Invalid operation for this state.,c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 001058C7
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp, xrefs: 001058F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastWritelstrlen
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp
                          • API String ID: 606256338-2202919084
                          • Opcode ID: e13bf81a4d5d582e753449f3144879bb881622cff019d93b8f570c1b3eb02f69
                          • Instruction ID: dfd17fa6877fe2aaf58d15dca7f253baf17bfe82e6293ea158015e74c7a2770c
                          • Opcode Fuzzy Hash: e13bf81a4d5d582e753449f3144879bb881622cff019d93b8f570c1b3eb02f69
                          • Instruction Fuzzy Hash: 1711E977A00534BBC720DB66CD49EEF7AADAB44B60B014A25FD81E7180D7B0DD008AE0
                          Function 000C1591 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,000C6F05,00000000,?), ref: 000C15CF
                          • GetLastError.KERNEL32(?,?,?,000C6F05,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000C15D9
                          Strings
                          • ignored , xrefs: 000C159E
                          • c:\agent\_work\35\s\wix\src\libs\dutil\apputil.cpp, xrefs: 000C15FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ArgvCommandErrorLastLine
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\apputil.cpp$ignored
                          • API String ID: 3459693003-827438264
                          • Opcode ID: 25c111b7cf07937cf49baa11fa30ea4c77ccfcff0af885156eb569c3ef8b61dd
                          • Instruction ID: e5d8e99aed07ab801052c1f60795a441dc6211a53b3a630c0c2aef6cb6bcd271
                          • Opcode Fuzzy Hash: 25c111b7cf07937cf49baa11fa30ea4c77ccfcff0af885156eb569c3ef8b61dd
                          • Instruction Fuzzy Hash: 71118C76900229FBCB219B99C905EDEBBF8EF46710B154559FD00AB252E671EE00CAA0
                          Function 00104F2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00105601,?,?,?,?,00000001), ref: 00104F4B
                          • GetLastError.KERNEL32(?,00105601,?,?,?,?,00000001,?,000C72DA,?,?,00000000,?,?,000C705B,00000002), ref: 00104F57
                          • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00105601,?,?,?,?,00000001,?,000C72DA,?,?), ref: 00104FC0
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp, xrefs: 00104F76
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFormatFreeLastLocalMessage
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\logutil.cpp
                          • API String ID: 1365068426-2202919084
                          • Opcode ID: 6e2e5a18535830d267d781f262c8bf2bcf36b73322fdbb1cd82c1b4c3a2bb5ea
                          • Instruction ID: e9e55593259f967b31ac3466138e7a608cc7a6100e6ab77adcbc01b8e48495a9
                          • Opcode Fuzzy Hash: 6e2e5a18535830d267d781f262c8bf2bcf36b73322fdbb1cd82c1b4c3a2bb5ea
                          • Instruction Fuzzy Hash: 6411E7B2600126FBDF21AF98DD45EEE7AA9EF54750F014018FE40961A0D7B08E60D790
                          Function 000EEBE6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,00000000,74DF30D0,?,?,000EEE1B,00000000,00000000,00000000,00000000), ref: 000EEBF6
                          • ReleaseMutex.KERNEL32(?,?,000EEE1B,00000000,00000000,00000000,00000000), ref: 000EEC7D
                            • Part of subcall function 000C50E9: GetProcessHeap.KERNEL32(?,000001C7,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C50FA
                            • Part of subcall function 000C50E9: RtlAllocateHeap.NTDLL(00000000,?,000C2D50,?,00000001,80004005,8007139F,?,?,0010537A,8007139F,?,00000000,00000000,8007139F), ref: 000C5101
                          Strings
                          • Failed to allocate memory for message data, xrefs: 000EEC45
                          • c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp, xrefs: 000EEC3B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                          • String ID: Failed to allocate memory for message data$c:\agent\_work\35\s\wix\src\burn\engine\netfxchainer.cpp
                          • API String ID: 2993511968-136307620
                          • Opcode ID: 444f9e6ff9bab338af39c78ddc6c45b5e6da531e9ab51970d46976ed80cd45e8
                          • Instruction ID: fc0b96eb28e5e9ab8cfa5051a45edc95ecde14f38995bfb0165ca18a711cf114
                          • Opcode Fuzzy Hash: 444f9e6ff9bab338af39c78ddc6c45b5e6da531e9ab51970d46976ed80cd45e8
                          • Instruction Fuzzy Hash: 381194B1300615AFC7159F25EC41E5ABBF5FF09760B104165F9149B7A1C771AC21CB94
                          Function 000C4483 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,000D2190,00000000,?,000D11D4,0010E500,00000080,002E0032,00000000), ref: 000C449B
                          • GetLastError.KERNEL32(?,000D11D4,0010E500,00000080,002E0032,00000000,?,000D2190,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 000C44A8
                          • CloseHandle.KERNEL32(00000000,00000000,0010E500,000D11D4,?,000D11D4,0010E500,00000080,002E0032,00000000,?,000D2190,crypt32.dll,00000094), ref: 000C44FC
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C44CC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseCreateErrorFileHandleLast
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 2528220319-3288686069
                          • Opcode ID: 823ffb98888cbe556992c335370ce747a8a3f1be724eafacc57d2d0072df48cd
                          • Instruction ID: cd79ed9cac722203d61e72ebb2880b984e899c6db3288da91cef430f12cb9acc
                          • Opcode Fuzzy Hash: 823ffb98888cbe556992c335370ce747a8a3f1be724eafacc57d2d0072df48cd
                          • Instruction Fuzzy Hash: 32012F3360153067D7211B698C09F9F7A94AB40B70F124319FF20AB2E2D3B18C1092E0
                          Function 000C4053 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,000EA70D,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 000C4087
                          • GetLastError.KERNEL32(?,000EA70D,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 000C4094
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateErrorFileLast
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 1214770103-3288686069
                          • Opcode ID: eb590b9d9647da46fc9d3d323ef8fa28fa4e02297e0679c92cffddbcd917eb6f
                          • Instruction ID: a3cdebb4a62d18af1e098053d8a0d8c175f7edfe59eba7905515616f825578f1
                          • Opcode Fuzzy Hash: eb590b9d9647da46fc9d3d323ef8fa28fa4e02297e0679c92cffddbcd917eb6f
                          • Instruction Fuzzy Hash: AB012632AC0130B7D23123955C19FBE6A98BB00B60F218229FF80BF5C1D2F24C0092E1
                          Function 000D23EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 000D245E
                          Strings
                          • Failed to update resume mode., xrefs: 000D242F
                          • Failed to open registration key., xrefs: 000D2415
                          • Failed to update name and publisher., xrefs: 000D2448
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseOpen
                          • String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
                          • API String ID: 47109696-1865096027
                          • Opcode ID: 90b884e9fbd6f5931ccfb30e097253aebecfa1a3e337c8d96157f8a78ac9adbc
                          • Instruction ID: 8d14b9bbd2af5f7aa3e71b382623235ec0354561ff733568602d14c68663d45e
                          • Opcode Fuzzy Hash: 90b884e9fbd6f5931ccfb30e097253aebecfa1a3e337c8d96157f8a78ac9adbc
                          • Instruction Fuzzy Hash: E101A732A40725F7CF265B94DC02FEEBB69AF20B60F104026F900B6251D7B1EE50A7E1
                          Function 000E86AD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON
                          Download Yara Rule
                          APIs
                          • ControlService.ADVAPI32(000E85C1,00000001,?,00000001,00000000,?,?,?,?,?,?,000E85C1,00000000), ref: 000E86D5
                          • GetLastError.KERNEL32(?,?,?,?,?,?,000E85C1,00000000), ref: 000E86DF
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp, xrefs: 000E8703
                          • Failed to stop wusa service., xrefs: 000E870D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ControlErrorLastService
                          • String ID: Failed to stop wusa service.$c:\agent\_work\35\s\wix\src\burn\engine\msuengine.cpp
                          • API String ID: 4114567744-3942649766
                          • Opcode ID: f2e402bc9adb0d24edb5a2a899a53055a43b73c6b3da713e08707fde035772ff
                          • Instruction ID: e4b22fdffcc21e393252bf71643150819838193747578665f17b05bbd4ab60df
                          • Opcode Fuzzy Hash: f2e402bc9adb0d24edb5a2a899a53055a43b73c6b3da713e08707fde035772ff
                          • Instruction Fuzzy Hash: A2012B33B402386BD7209BA9EC05ADFBBE4AF48750F014125FE44BB181DAB4ED0046D4
                          Function 00107EDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00107F20
                          • SysFreeString.OLEAUT32(00000000), ref: 00107F53
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFree
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 344208780-239685051
                          • Opcode ID: 81fdb5bab992221422d87f91bfd0705e7f2e1f6ceafb4c273a91d3c0b7c12a50
                          • Instruction ID: ce0ccce391d7074abf85ab4c6f4406076e3de430b295af54062e17802e0c149c
                          • Opcode Fuzzy Hash: 81fdb5bab992221422d87f91bfd0705e7f2e1f6ceafb4c273a91d3c0b7c12a50
                          • Instruction Fuzzy Hash: 57012631A48267ABDB205A559C04FBA3798EF01760F014539FE84EB7C1D7F4EC0096A1
                          Function 00107F61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00107FA6
                          • SysFreeString.OLEAUT32(00000000), ref: 00107FD9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFree
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 344208780-239685051
                          • Opcode ID: a0a2380ea9cb5e5b353b96ffa35bbe9fcdb907c6c066f62c9e907550e4209979
                          • Instruction ID: 2f93bf7f756641c6e45daf94e32005e06a5673dd25623bf1ef0e95643986e9f3
                          • Opcode Fuzzy Hash: a0a2380ea9cb5e5b353b96ffa35bbe9fcdb907c6c066f62c9e907550e4209979
                          • Instruction Fuzzy Hash: 4C01DB31A48267BBD7205A659D08E7A37D8DF45764F110525FC90EB7C1D7E4DC0086A1
                          Function 00109E41 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • SysFreeString.OLEAUT32(?), ref: 00109EA0
                            • Part of subcall function 0010BC87: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 0010BD94
                            • Part of subcall function 0010BC87: GetLastError.KERNEL32 ref: 0010BD9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Time$ErrorFileFreeLastStringSystem
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp$clbcatq.dll
                          • API String ID: 211557998-2583600962
                          • Opcode ID: 521e3619506cafe7775030b8a7dc34ce18f7dc4605bc1fc4231858d746f6c3cf
                          • Instruction ID: 573c535e839eeb5e78f8088b0d7ef04da90d12631aba495b5d7e052c4b19c25b
                          • Opcode Fuzzy Hash: 521e3619506cafe7775030b8a7dc34ce18f7dc4605bc1fc4231858d746f6c3cf
                          • Instruction Fuzzy Hash: 9401F972900125FFCB20EF95C951C9EFBA8FF55760B65413AF58467151D3B05E00D790
                          Function 000E086F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 000E0897
                          • GetLastError.KERNEL32 ref: 000E08A1
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E08C5
                          • Failed to post elevate message., xrefs: 000E08CF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessagePostThread
                          • String ID: Failed to post elevate message.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 2609174426-2531112595
                          • Opcode ID: 25774ed609d1a7c3b4a82266cf2a252054d9305d91b7f3e288a7b8bef174019e
                          • Instruction ID: 4c3a88bb123e0206ca978eaaddb2903c2872f28e96446b48b3691337e4aea85c
                          • Opcode Fuzzy Hash: 25774ed609d1a7c3b4a82266cf2a252054d9305d91b7f3e288a7b8bef174019e
                          • Instruction Fuzzy Hash: 15F0F637A40331ABD32456996D09A877BD4BF00B60B114224FE94BF5D2DBA59C818BD0
                          Function 000CF5C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 000CF5E8
                          • FreeLibrary.KERNEL32(?,?,000C65A9,00000000,?,?,000C7154,?,?), ref: 000CF5F7
                          • GetLastError.KERNEL32(?,000C65A9,00000000,?,?,000C7154,?,?), ref: 000CF601
                          Strings
                          • BootstrapperApplicationDestroy, xrefs: 000CF5E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressErrorFreeLastLibraryProc
                          • String ID: BootstrapperApplicationDestroy
                          • API String ID: 1144718084-3186005537
                          • Opcode ID: 94edd9bbe2dff09c54f1a6adca47111500d550ec48edd2d30c39e8148b858990
                          • Instruction ID: f1d95a2f25cb89bb8b441c9e3847f0207720ae58cec3e7b233041b50903d8612
                          • Opcode Fuzzy Hash: 94edd9bbe2dff09c54f1a6adca47111500d550ec48edd2d30c39e8148b858990
                          • Instruction Fuzzy Hash: E8F0AF32600A26ABC7144F66D804F29F7E9BF00B62701C639E914D6820C771EC508AD5
                          Function 001077AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 001077C4
                          • SysFreeString.OLEAUT32(00000000), ref: 001077F4
                          Strings
                          • `<u, xrefs: 001077F4
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 001077D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFree
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 344208780-239685051
                          • Opcode ID: b1bb34349d6146075686f7a93df672806e18f3025094db8636aacc934dccf9a7
                          • Instruction ID: a2426c63ccfacdc74ef3d237f7b49e8a06a2f3320f627efd580e8b89dedc9428
                          • Opcode Fuzzy Hash: b1bb34349d6146075686f7a93df672806e18f3025094db8636aacc934dccf9a7
                          • Instruction Fuzzy Hash: 72F059359042A5EBC7224F009C0CFAB3BA4FF41BA0F114029FC885B280CBB0AC10CAE0
                          Function 00107A54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 00107A69
                          • SysFreeString.OLEAUT32(00000000), ref: 00107A99
                          Strings
                          • `<u, xrefs: 00107A99
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 00107A80
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFree
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 344208780-239685051
                          • Opcode ID: 12636454ccb2648fb33b88119805e87d8e59d53f5af5705da8c311d4660647b1
                          • Instruction ID: a0a4b277f9ae14c82ece4c4cd9bcfa4dbea68ddd022e2d5fdb0cd032a25c0608
                          • Opcode Fuzzy Hash: 12636454ccb2648fb33b88119805e87d8e59d53f5af5705da8c311d4660647b1
                          • Instruction Fuzzy Hash: B1F0BE35704265EBC7225E599C08E9E3BA8EF85B70B194119FC849B290C7F4EE509BE1
                          Function 000E22C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(0010E478,00000000,?,000E3215,?,00000000,?,000CDF87,?,000C70CB,?,000D91E6,?,?,000C70CB,?), ref: 000E22CA
                          • GetLastError.KERNEL32(?,000E3215,?,00000000,?,000CDF87,?,000C70CB,?,000D91E6,?,?,000C70CB,?,000C710B,00000001), ref: 000E22D4
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000E22F8
                          • Failed to set begin operation event., xrefs: 000E2302
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorEventLast
                          • String ID: Failed to set begin operation event.$c:\agent\_work\35\s\wix\src\burn\engine\cabextract.cpp
                          • API String ID: 3848097054-3342451057
                          • Opcode ID: 0d14bdf1b1c9a597d1d17132508e1c9e6196a3c27a47ffb0d70d3086a30ba9cf
                          • Instruction ID: eb14894b55d812bb8fa930bb300e47fa2507fab131e5aba50d265ff4e309de48
                          • Opcode Fuzzy Hash: 0d14bdf1b1c9a597d1d17132508e1c9e6196a3c27a47ffb0d70d3086a30ba9cf
                          • Instruction Fuzzy Hash: 37F05C336415706BC32122975C05BCB7ADC7F00B607020135FE81FB142E6A4AD0046D4
                          Function 000E0775 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 000E078A
                          • GetLastError.KERNEL32 ref: 000E0794
                          Strings
                          • Failed to post apply message., xrefs: 000E07C2
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E07B8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessagePostThread
                          • String ID: Failed to post apply message.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 2609174426-2782274314
                          • Opcode ID: ae3282f8a60c53bda756589ae06c149c6c2b84a5d3dc26efa30120ac80d06848
                          • Instruction ID: 0eec427866f2f0afd9c193552d224e83e154a16e909fdb87ee4d301d82ebcc2d
                          • Opcode Fuzzy Hash: ae3282f8a60c53bda756589ae06c149c6c2b84a5d3dc26efa30120ac80d06848
                          • Instruction Fuzzy Hash: C0F0AE37A4563467D22156566C09E8B7ED4BF04BA0B014014FD84BF591D6A0AC8089D0
                          Function 000E0806 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 000E081B
                          • GetLastError.KERNEL32 ref: 000E0825
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E0849
                          • Failed to post detect message., xrefs: 000E0853
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessagePostThread
                          • String ID: Failed to post detect message.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 2609174426-1329210328
                          • Opcode ID: 90f7d66b1de8eb40f3bde0e120167585d156200dfe6132a2686fe9349e227242
                          • Instruction ID: e0dea3ad970b4e77a60c1127e4d9843cb3163838d4c77a9f273903173e01e33b
                          • Opcode Fuzzy Hash: 90f7d66b1de8eb40f3bde0e120167585d156200dfe6132a2686fe9349e227242
                          • Instruction Fuzzy Hash: 7DF0A733A452346BD221569A6D09F877FD4BF00BA0B024120FE88BF591DAB59C40C6E4
                          Function 000E0E79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 000E0E8E
                          • GetLastError.KERNEL32 ref: 000E0E98
                          Strings
                          • Failed to post plan message., xrefs: 000E0EC6
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E0EBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessagePostThread
                          • String ID: Failed to post plan message.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 2609174426-2207821813
                          • Opcode ID: 0e1b95bd15a7961bab1a3f10f23517624547930133a09c36272a860f10032254
                          • Instruction ID: 53ffd0f6f2361f2d0affac5c2ea752799f37863e70e8dc182f85911962ad8967
                          • Opcode Fuzzy Hash: 0e1b95bd15a7961bab1a3f10f23517624547930133a09c36272a860f10032254
                          • Instruction Fuzzy Hash: 76F0A7336456316BD23466AA6C09E877ED4BF04BA0B024520FE84BF691DAB59C8085E1
                          Function 000E0F87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 000E0F9C
                          • GetLastError.KERNEL32 ref: 000E0FA6
                          Strings
                          • Failed to post shutdown message., xrefs: 000E0FD4
                          • c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 000E0FCA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastMessagePostThread
                          • String ID: Failed to post shutdown message.$c:\agent\_work\35\s\wix\src\burn\engine\engineforapplication.cpp
                          • API String ID: 2609174426-2765827733
                          • Opcode ID: 453f5ebaf828191afa690110065edaaa91a535bb3e5e9785864088ca0620dc91
                          • Instruction ID: 77fbff90d454a4e73b479b510220dba486a61a618becbc7c8e210113d0f94e79
                          • Opcode Fuzzy Hash: 453f5ebaf828191afa690110065edaaa91a535bb3e5e9785864088ca0620dc91
                          • Instruction Fuzzy Hash: B4F0A7376416346BD630569AAC09ECBBE84BF00B60B014125FE44BF991E6A09C508AE5
                          Function 0010122C Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleOutputCP.KERNEL32(E5DE2EA8,?,00000000,0012B938), ref: 0010128F
                            • Part of subcall function 000FCD50: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00100F05,?,00000000,-00000008), ref: 000FCDFC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001014EA
                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00101532
                          • GetLastError.KERNEL32 ref: 001015D5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                          • String ID:
                          • API String ID: 2112829910-0
                          • Opcode ID: 57d95b5ff0d65ba24443da90716f13ec67cb9c7d3da771eec5a94f6cf8e2b40e
                          • Instruction ID: 0f4b27ce7ae915cda73dda2a9037c919b5dcfb667510ffca339dcd8db0815c21
                          • Opcode Fuzzy Hash: 57d95b5ff0d65ba24443da90716f13ec67cb9c7d3da771eec5a94f6cf8e2b40e
                          • Instruction Fuzzy Hash: 2CD16A75E00248AFCF15CFE8D8809EDBBB4FF49314F18452AE896EB291D774A942CB50
                          Function 00109464 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 162stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 001095D2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\dlutil.cpp
                          • API String ID: 1659193697-2091125520
                          • Opcode ID: ef983b4cc524983346027da90182859bf946bb9ff7a607730ee6dfa3fc1c9947
                          • Instruction ID: 1b224dbe2e7afc9d45dd01ab92acc3dada2a5baf260b6e4c55f43aeb7388abfc
                          • Opcode Fuzzy Hash: ef983b4cc524983346027da90182859bf946bb9ff7a607730ee6dfa3fc1c9947
                          • Instruction Fuzzy Hash: 4851A072901229AFCB229FA5CC949AFBBB9FF48750B054515F940A7291DBB0DD42CBA0
                          Function 000C6C6A Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,?,?,00000000,?,000C7218,?,?,?,?,?,?), ref: 000C6CC4
                          • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,000C7218,?,?,?,?,?,?), ref: 000C6CD8
                          • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C7218,?,?), ref: 000C6DC7
                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C7218,?,?), ref: 000C6DCE
                            • Part of subcall function 000C14EA: LocalFree.KERNEL32(?,?,000C6C81,?,00000000,?,000C7218,?,?,?,?,?,?), ref: 000C14F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalDeleteFreeSection$CloseHandleLocal
                          • String ID:
                          • API String ID: 3671900028-0
                          • Opcode ID: a666a5af9f735469889fce47c62edd7f82ff7d721fede10a0ee64de67b6e8d57
                          • Instruction ID: 89ccd593195d4669e2ef6d7ede5dd9589ce97c31547aa8a06e65c48ef3f20389
                          • Opcode Fuzzy Hash: a666a5af9f735469889fce47c62edd7f82ff7d721fede10a0ee64de67b6e8d57
                          • Instruction Fuzzy Hash: C341A3B1A00B45ABCA70EBB4C889FDBB3ECAF04350F444C2DB69AD3152DB75E5458B64
                          Function 000C6952 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000D1644: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,000C6971,?,?,00000001), ref: 000D1694
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 000C69D8
                          Strings
                          • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 000C69C2
                          • Failed to get current process path., xrefs: 000C6996
                          • Unable to get resume command line from the registry, xrefs: 000C6977
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close$Handle
                          • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                          • API String ID: 187904097-642631345
                          • Opcode ID: 51143eaac140da779561cff403bff1f914c6b506967bd67e1ffe8e03efda20ce
                          • Instruction ID: e0b2240da8ebf5c9de7d0ab41cc4d458a90528f891c6b0b572e7a0bc76771726
                          • Opcode Fuzzy Hash: 51143eaac140da779561cff403bff1f914c6b506967bd67e1ffe8e03efda20ce
                          • Instruction Fuzzy Hash: 8E117F36D00618FBCF32AB95D802EDEBBB9EF50750B10416AF840B6251EB729E019A80
                          Function 000F3B51 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 000F3B6B
                            • Part of subcall function 000F3AB8: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000F3AE7
                            • Part of subcall function 000F3AB8: ___AdjustPointer.LIBCMT ref: 000F3B02
                          • _UnwindNestedFrames.LIBCMT ref: 000F3B80
                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000F3B91
                          • CallCatchBlock.LIBVCRUNTIME ref: 000F3BB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                          • String ID:
                          • API String ID: 737400349-0
                          • Opcode ID: 062fd080a1f6bfeae541c6f5eb86bd5f7f9a8e91848704cd428962861c4ced43
                          • Instruction ID: 501e4a3567ae83caedc8f66a097d1b9cf145c7018e57c7652e87a7bccd288a02
                          • Opcode Fuzzy Hash: 062fd080a1f6bfeae541c6f5eb86bd5f7f9a8e91848704cd428962861c4ced43
                          • Instruction Fuzzy Hash: A401297210010DBBCF126E95DC45EEB7BB9EF89764F044018FF58A6522C736E961ABA0
                          Function 000C9133 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000C913F
                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000C91A6
                          Strings
                          • Failed to get value of variable: %ls, xrefs: 000C9179
                          • Failed to get value as numeric for variable: %ls, xrefs: 000C9195
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                          • API String ID: 3168844106-4270472870
                          • Opcode ID: 5a901dafc64b01a3c30d4611a781687e2ad9b36d060ef27ac0fe220889f386fa
                          • Instruction ID: f1b21b4f35ae2c35b4c966bd4c012cc2a934da381631e1a5229e81b1cfecb2e8
                          • Opcode Fuzzy Hash: 5a901dafc64b01a3c30d4611a781687e2ad9b36d060ef27ac0fe220889f386fa
                          • Instruction Fuzzy Hash: 3E017C3298152AFBCF225F40CC0EF8E3AA9EB14765F054128FC04AA221C7769E51ABD4
                          Function 000C92A2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 000C92AE
                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000C9315
                          Strings
                          • Failed to get value of variable: %ls, xrefs: 000C92E8
                          • Failed to get value as version for variable: %ls, xrefs: 000C9304
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                          • API String ID: 3168844106-1851729331
                          • Opcode ID: d09b5d3f7cdc5bba2732ed0d78c0104f4689a2d5b4930e8fdbfec278712d927f
                          • Instruction ID: 91742077d2b3fe8ac742bcc8258ad911595a0eea2771c4213fa63b2bf4efe129
                          • Opcode Fuzzy Hash: d09b5d3f7cdc5bba2732ed0d78c0104f4689a2d5b4930e8fdbfec278712d927f
                          • Instruction Fuzzy Hash: C4017836940169FBCF225F80CC09FCE3AA5AB147A5F018129FC04AA261C7769E50ABD5
                          Function 000CF19E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000D8C6F,000000B8,00000000,?,00000000,75C0B390), ref: 000CF1AD
                          • LeaveCriticalSection.KERNEL32(000000D0,?,000D8C6F,000000B8,00000000,?,00000000,75C0B390), ref: 000CF1D0
                          Strings
                          • c:\agent\_work\35\s\wix\src\burn\engine\userexperience.cpp, xrefs: 000CF1E9
                          • Engine active cannot be changed because it was already in that state., xrefs: 000CF1F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Engine active cannot be changed because it was already in that state.$c:\agent\_work\35\s\wix\src\burn\engine\userexperience.cpp
                          • API String ID: 3168844106-4173837510
                          • Opcode ID: 689fc4bcd198a5d30164a2a43def4a2fe6a50f3c7276143fb1daa9b8046fc720
                          • Instruction ID: 12a62ce67451dc99bc9e41bbe78caa0dda451d4300a269411e7ce84da77a6c95
                          • Opcode Fuzzy Hash: 689fc4bcd198a5d30164a2a43def4a2fe6a50f3c7276143fb1daa9b8046fc720
                          • Instruction Fuzzy Hash: CBF02236300302ABC7159FAADC80E9BB3EEFB99314300443EF915CB640EEB0F90586A1
                          Function 000C9233 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,000CB599,00000000,?,00000000,00000000,00000000,?,000CB3DA,00000000,?,00000000,00000000), ref: 000C923F
                          • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,000CB599,00000000,?,00000000,00000000,00000000,?,000CB3DA,00000000,?,00000000), ref: 000C9295
                          Strings
                          • Failed to get value of variable: %ls, xrefs: 000C9265
                          • Failed to copy value of variable: %ls, xrefs: 000C9284
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeave
                          • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                          • API String ID: 3168844106-2936390398
                          • Opcode ID: f5d7176d9bd4e506788fdf5f744ac63b8de3dd1c8fba1cbf8d32f27d79f987be
                          • Instruction ID: 00b2c672847bb23c6bd3d32c240e3c0e1cc6f2cd756e8a6079ac7265438b58c5
                          • Opcode Fuzzy Hash: f5d7176d9bd4e506788fdf5f744ac63b8de3dd1c8fba1cbf8d32f27d79f987be
                          • Instruction Fuzzy Hash: DCF04F76940129BBCF126F54CC09ECE7FA9EF14364F008124FD55AA221D775DE509BD4
                          Function 00103926 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • WriteConsoleW.KERNEL32(?,0012B938,00000000,00000000,?,?,00102A9B,?,00000001,?,0012B938,?,00101629,0012B938,?,00000000), ref: 0010393D
                          • GetLastError.KERNEL32(?,00102A9B,?,00000001,?,0012B938,?,00101629,0012B938,?,00000000,0012B938,0012B938,?,00101BB0,?), ref: 00103949
                            • Part of subcall function 0010390F: CloseHandle.KERNEL32(FFFFFFFE,00103959,?,00102A9B,?,00000001,?,0012B938,?,00101629,0012B938,?,00000000,0012B938,0012B938), ref: 0010391F
                          • ___initconout.LIBCMT ref: 00103959
                            • Part of subcall function 001038D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00103900,00102A88,0012B938,?,00101629,0012B938,?,00000000,0012B938), ref: 001038E4
                          • WriteConsoleW.KERNEL32(?,0012B938,00000000,00000000,?,00102A9B,?,00000001,?,0012B938,?,00101629,0012B938,?,00000000,0012B938), ref: 0010396E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                          • String ID:
                          • API String ID: 2744216297-0
                          • Opcode ID: 034db4fbdab506878f03f9cb14851dae8ec418471eb9c20e5a32638b2f736d7c
                          • Instruction ID: 1a7355439858454467424e63e3961eccf50da689ae9c5b995e3283ea484bf6cd
                          • Opcode Fuzzy Hash: 034db4fbdab506878f03f9cb14851dae8ec418471eb9c20e5a32638b2f736d7c
                          • Instruction Fuzzy Hash: EEF01C36140119BBCF222FD5DC09A897FAAFB083A0F008451FAA8855A0C7B28970DB90
                          Function 000C5520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.ADVAPI32(00000000), ref: 000C569B
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C5688
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 3535843008-1760534440
                          • Opcode ID: e40baeb0048691a95abbb0124fc4fd702cd1139987e91aca16fdb1f1b8d3d0d8
                          • Instruction ID: 621e66d0497a43a23ff28b60490aa1a6ee8716e3d6c30c33f850077ae532f28c
                          • Opcode Fuzzy Hash: e40baeb0048691a95abbb0124fc4fd702cd1139987e91aca16fdb1f1b8d3d0d8
                          • Instruction Fuzzy Hash: 4741C33AD00D25EBDF718B54CC15FAE7AE1AB40722F55812CFC05AB161E735AED09B80
                          Function 000C3E78 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000,00000101), ref: 000C3FD9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseOpen
                          • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                          • API String ID: 47109696-3023217399
                          • Opcode ID: 403cc7a24f7d95de09e71e80c2b86c2765178d701a4184b86eff42ac733e2475
                          • Instruction ID: abeb77c0fb7fa7e233cc7b3246cff74ad582d7d875b3046393b08642d287c9e5
                          • Opcode Fuzzy Hash: 403cc7a24f7d95de09e71e80c2b86c2765178d701a4184b86eff42ac733e2475
                          • Instruction Fuzzy Hash: F5416871E10219EBCB20DF98C881FAEBBF5AB44710F25886EE500A7251DB719F42DB90
                          Function 000C5967 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000C59DD
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000C5A15
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C5A51
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 3660427363-1760534440
                          • Opcode ID: 8b7cb83a84da13a25550b8370ecb387aa08d0a9526a36789128d14932f866c7f
                          • Instruction ID: 3e44d537080605a7459ad84ecd476a59c25cea8eedd0b85b2baaa828adb0b855
                          • Opcode Fuzzy Hash: 8b7cb83a84da13a25550b8370ecb387aa08d0a9526a36789128d14932f866c7f
                          • Instruction Fuzzy Hash: D8417135D0052AFBCB219B95CC81FAEBBB9EF04351F10826DE910A7251D731AE91DB51
                          Function 000F2BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 000F2BE3
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 000F2C9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 3480331319-1018135373
                          • Opcode ID: 2daa5da1c5a9b57972531118c663a5a56baac3f53a9ee493b78686bdaecd3cf2
                          • Instruction ID: b62858d067ba567e62fe46a280e9430310805e0ad37e245909e90651db4b8cc5
                          • Opcode Fuzzy Hash: 2daa5da1c5a9b57972531118c663a5a56baac3f53a9ee493b78686bdaecd3cf2
                          • Instruction Fuzzy Hash: 8741D330A0020DABCF10DF68C885AAEBBF5BF44324F148165FA189B792D771DA55EBD1
                          Function 0010C4B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0010C3AA: lstrlenW.KERNEL32(00000100,?,?,?,0010C74A,000002C0,00000100,00000100,00000100,?,?,?,000E982C,?,?,000001BC), ref: 0010C3CF
                          • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0010E500,wininet.dll,?), ref: 0010C5B9
                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0010E500,wininet.dll,?), ref: 0010C5C6
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                            • Part of subcall function 000C5711: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000EA8B0), ref: 000C576C
                            • Part of subcall function 000C5711: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000EA8B0,00000000), ref: 000C578A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Close$EnumInfoOpenQuerylstrlen
                          • String ID: wininet.dll
                          • API String ID: 2680864210-3354682871
                          • Opcode ID: 38ea5dd9a72391c6ede5a3b079bfe1c4bef3bea8e0ed8b2dc5b8c3a4d5c35d16
                          • Instruction ID: 56b79c89c3f49358e9b35431881c1897928036c6eb0d81908aa7f5acada97e28
                          • Opcode Fuzzy Hash: 38ea5dd9a72391c6ede5a3b079bfe1c4bef3bea8e0ed8b2dc5b8c3a4d5c35d16
                          • Instruction Fuzzy Hash: CC313D7AD0052ABFCF21AF94CD819EEBAB5EF04310F1542A9E980B6161C771AE50DFD0
                          Function 000C51E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _memcpy_s
                          • String ID: crypt32.dll$wininet.dll
                          • API String ID: 2001391462-82500532
                          • Opcode ID: 07eac6dddfdb53988f0e961f4d93c8f3cd3c8a0a476dacf00ff156f4c4a326f5
                          • Instruction ID: 6ea7653db09d18f7fa1b13fb4b12dc0a96e8ed381b62b8e378fbb5b0b50832e9
                          • Opcode Fuzzy Hash: 07eac6dddfdb53988f0e961f4d93c8f3cd3c8a0a476dacf00ff156f4c4a326f5
                          • Instruction Fuzzy Hash: 0B115E75600619AFCF08DF59CCC5E9F7FA9EF99294B148129FD054B351D270EA50CAE0
                          Function 000D5764 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,000D5C74,feclient.dll,?,00000000,?,?,?,000C67E0), ref: 000D5805
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000C59DD
                            • Part of subcall function 000C5967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000C5A15
                          Strings
                          • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 000D577B
                          • Logging, xrefs: 000D5792
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                          • API String ID: 1586453840-387823766
                          • Opcode ID: a3ab49e3c96b53f550c939335c59e3b952c75c389584f8e6793c3a48ea7e3d8d
                          • Instruction ID: 4b836a4003a32e9c97cdc2a717f10ee3d2d4974292abb1e245657e3a5c97c769
                          • Opcode Fuzzy Hash: a3ab49e3c96b53f550c939335c59e3b952c75c389584f8e6793c3a48ea7e3d8d
                          • Instruction Fuzzy Hash: 9111D336544715EBEB74DA14EC46FFE76B8AF00752F704457FC01A7280CA749E818660
                          Function 000C5D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegSetValueExW.ADVAPI32(00020006,00114178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,000D1017,00000000,?,00020006), ref: 000C5DC3
                          • RegDeleteValueW.ADVAPI32(00020006,00114178,00000000,?,?,000D1017,00000000,?,00020006,?,00114178,00020006,00000000,?,?,?), ref: 000C5DF3
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C5E27
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Value$Delete
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 1738766685-1760534440
                          • Opcode ID: 89e26844fcf88f54f91f5fa390c19406bb6afbfe84b62ae6411377b85eb34fd7
                          • Instruction ID: ccfc79cca83a02b32c01b079d7b914a94605fdace258eb57f677bf9d07062ca7
                          • Opcode Fuzzy Hash: 89e26844fcf88f54f91f5fa390c19406bb6afbfe84b62ae6411377b85eb34fd7
                          • Instruction Fuzzy Hash: B411A33A900A3ABBDB354B508C05F9F76A5AB04762F15012CBE02AB190D661EE9096E0
                          Function 000CFA90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,000E9146,00000000,IGNOREDEPENDENCIES,00000000,?,0010E518), ref: 000CFAE1
                          Strings
                          • Failed to copy the property value., xrefs: 000CFB15
                          • IGNOREDEPENDENCIES, xrefs: 000CFA98
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareString
                          • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                          • API String ID: 1825529933-1412343224
                          • Opcode ID: 4df309e312214935e3e24659d41be997b017739b61bfbddd6b18ac5f7aa2c8da
                          • Instruction ID: 5339088c32cec4f74d59424c42806050c67824935dad54e87f01a11bb7b6e33c
                          • Opcode Fuzzy Hash: 4df309e312214935e3e24659d41be997b017739b61bfbddd6b18ac5f7aa2c8da
                          • Instruction Fuzzy Hash: 58119132604216AFDB204F48CC84FBEB7E7EB04360F254179EA199B2A1C770AC508B82
                          Function 000D7474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • CoInitializeEx.OLE32(00000000,00000000), ref: 000D7491
                          • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 000D74EA
                          Strings
                          • Failed to initialize COM on cache thread., xrefs: 000D74A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: InitializeUninitialize
                          • String ID: Failed to initialize COM on cache thread.
                          • API String ID: 3442037557-3629645316
                          • Opcode ID: 270a365ad8bbc53b1043b65e7764c9aa3c03a39909effbeecbab3ed91cc63ccb
                          • Instruction ID: 73dcf7801aede8f75fa61aa3b2f5b373cc18abd2276862b2aabff5b3d6439805
                          • Opcode Fuzzy Hash: 270a365ad8bbc53b1043b65e7764c9aa3c03a39909effbeecbab3ed91cc63ccb
                          • Instruction Fuzzy Hash: EE016172600619BFDB059F95D884DDAFFADFF14394B00412AF50997221DB71AD508BA0
                          Function 00108BF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,000DAABC,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00108C21
                          • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000DAABC,?), ref: 00108C3C
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\aclutil.cpp, xrefs: 00108C60
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: InfoNamedSecuritySleep
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\aclutil.cpp
                          • API String ID: 2352087905-3501249528
                          • Opcode ID: 03720998731c5e08a51bbf7c30311a967cde0e3ef97170a83e1f5d64a31f410f
                          • Instruction ID: 8a90045ba5480813ae046d7e5ae7e653aa97f08ad51451f7e2a71ed859b04aac
                          • Opcode Fuzzy Hash: 03720998731c5e08a51bbf7c30311a967cde0e3ef97170a83e1f5d64a31f410f
                          • Instruction Fuzzy Hash: A6018E37801129BBDF225F89CE05ECE7A75EF84750F060214FD8476160CBB1DE609AA0
                          Function 000C1FC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • LCMapStringW.KERNEL32(0000007F,00000000,00000000,000D8D17,00000000,000D8D17,00000000,00000000,000D8D17,00000000,00000000,00000000,?,000C2DF4,00000000,00000000), ref: 000C2009
                          • GetLastError.KERNEL32(?,000C2DF4,00000000,00000000,000D8D17,00000200,?,0010886C,00000000,000D8D17,00000000,000D8D17,00000000,00000000,00000000), ref: 000C2013
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp, xrefs: 000C2037
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastString
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\strutil.cpp
                          • API String ID: 3728238275-2270866816
                          • Opcode ID: 38b632604cea3b66f398eb362612324ced7f619cc4aac9bb3342f0d01c7cffbb
                          • Instruction ID: e58fade2f7cd8c2dee3d02b746507b9f6022923deabb5aab6e24951a0e710106
                          • Opcode Fuzzy Hash: 38b632604cea3b66f398eb362612324ced7f619cc4aac9bb3342f0d01c7cffbb
                          • Instruction Fuzzy Hash: E101F53350023567CB219F998C44F9FBAA8AF45B60B014219FE50AB663D671DC00C7E1
                          Function 001081A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 000C582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0,00000000,?,00108D90,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 000C5840
                          • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00108049,?), ref: 0010821A
                          Strings
                          • EnableLUA, xrefs: 001081EC
                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 001081C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseOpen
                          • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                          • API String ID: 47109696-3551287084
                          • Opcode ID: 150c1d90a19b6f786bed6e9760a596bf9c822619a7d0dc190fbe507f0798c23c
                          • Instruction ID: d74325720ca96c9d9418edaea505744fb28477196d37f56f98bb82237b514c93
                          • Opcode Fuzzy Hash: 150c1d90a19b6f786bed6e9760a596bf9c822619a7d0dc190fbe507f0798c23c
                          • Instruction Fuzzy Hash: DB017136940524FFDB1097A4DC06BDDFAA8EF14721F210165E981B3091D7B45E90D694
                          Function 000C6DE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,000C1175,?,?,00000000), ref: 000C6E08
                          • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,000C1175,?,?,00000000), ref: 000C6E38
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CompareStringlstrlen
                          • String ID: burn.clean.room
                          • API String ID: 1433953587-3055529264
                          • Opcode ID: 23c1d99986b28eea35f72dd44e7eaa78bd278a2457319c14fa394056024f17a6
                          • Instruction ID: 56d96c7d1b1ade3c641e0fdafffea16ac73d3b4d59dc49cdc89a46a9a51a6657
                          • Opcode Fuzzy Hash: 23c1d99986b28eea35f72dd44e7eaa78bd278a2457319c14fa394056024f17a6
                          • Instruction Fuzzy Hash: A4018676500234AAE6344B59DC84E7BBBEDE71DB55714451BF507D3910C3719C91C7A0
                          Function 000C54AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000D22E9,?,00000000,00020006), ref: 000C54D3
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 000C54FB
                          • ", xrefs: 000C5507
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Create
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp$"
                          • API String ID: 2289755597-3090044715
                          • Opcode ID: 505bad14d927db785e9ebf254de3983751090e98be1a6d4ea1b79ca230fba7d6
                          • Instruction ID: 310b8cfe71d93b82774bb8a64672e797518708eb7370488578fb77b34ca2bb72
                          • Opcode Fuzzy Hash: 505bad14d927db785e9ebf254de3983751090e98be1a6d4ea1b79ca230fba7d6
                          • Instruction Fuzzy Hash: FE01D17A600929FBDB208F559C05FEF7EA9EF05796B014128BC01EB140E630DEA0DAE0
                          Function 00109EAF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • SysFreeString.OLEAUT32(00000000), ref: 00109F14
                          Strings
                          • `<u, xrefs: 00109F14
                          • c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 00109ED0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FreeString
                          • String ID: `<u$c:\agent\_work\35\s\wix\src\libs\dutil\atomutil.cpp
                          • API String ID: 3341692771-2849780082
                          • Opcode ID: cbdd12d8fa585b7a72a8dbdd6a9f3a037682c7112b3e50a3222b2ca5bf80a538
                          • Instruction ID: 7e9df84b4a621b4c481ebce591a81d9d478a93b23f93f2e070b5997ef39e4f32
                          • Opcode Fuzzy Hash: cbdd12d8fa585b7a72a8dbdd6a9f3a037682c7112b3e50a3222b2ca5bf80a538
                          • Instruction Fuzzy Hash: 1201F932504125FBCB21A744CD11FDEBB78AF81B61F254115B880B71D297F48E00D6D1
                          Function 000C821D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?), ref: 000C822F
                            • Part of subcall function 00105C35: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,000C7B69,00000000), ref: 00105C4A
                            • Part of subcall function 00105C35: GetProcAddress.KERNEL32(00000000), ref: 00105C51
                            • Part of subcall function 00105C35: GetLastError.KERNEL32(?,?,?,?,000C7B69,00000000), ref: 00105C6C
                            • Part of subcall function 000C799D: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 000C7A23
                          Strings
                          • Failed to get 64-bit folder., xrefs: 000C8252
                          • Failed to set variant value., xrefs: 000C826C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                          • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                          • API String ID: 3109562764-2681622189
                          • Opcode ID: 7b5888afb9b3d7380c0afcab8daafd6c2846f8712afc42aee3d557dc4631744b
                          • Instruction ID: d4ce0e2d38db3ffc471aa69ede77ea74cbad0f13866bc1f0f17a30d9944f1fb2
                          • Opcode Fuzzy Hash: 7b5888afb9b3d7380c0afcab8daafd6c2846f8712afc42aee3d557dc4631744b
                          • Instruction Fuzzy Hash: F6016232941628BBDF11ABA0CC4AFDE7B68EF04761F108159F441B6051DB71AF40DBD4
                          Function 000C4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000C114E,?,00000000), ref: 000C4E5B
                          • GetLastError.KERNEL32(?,?,?,?,000C114E,?,00000000), ref: 000C4E72
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp, xrefs: 000C4E96
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastModuleName
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\pathutil.cpp
                          • API String ID: 2776309574-1490408167
                          • Opcode ID: 08f4ab0e94c83934bed5dae9af3bd8e54b68218bf2e625287df9db3b2ad3417e
                          • Instruction ID: 34ca3b93f179f5370cd9a2e811d3a7baeaec0dc04f02f7f19f1caa5b6e3ccbb6
                          • Opcode Fuzzy Hash: 08f4ab0e94c83934bed5dae9af3bd8e54b68218bf2e625287df9db3b2ad3417e
                          • Instruction Fuzzy Hash: B7F0C233A0013067C7315B9AAC58F8FFEA9BB41B60B130129FE84AB241D6B1DC0092E0
                          Function 000F02DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 000F0C02
                            • Part of subcall function 000F2E0D: RaiseException.KERNEL32(?,?,?,000F0C24,?,00000000,00000000,?,?,?,?,?,000F0C24,?,0012B510), ref: 000F2E6D
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 000F0C1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: 84bbad7b3c88549e58b0ce300ac74b58eb6e90e9210f3876fde77ad00e1bbd6a
                          • Instruction ID: 23d8156acfe645b46c371750966e9bcfcad54c6e04af65b571497cf84e823c76
                          • Opcode Fuzzy Hash: 84bbad7b3c88549e58b0ce300ac74b58eb6e90e9210f3876fde77ad00e1bbd6a
                          • Instruction Fuzzy Hash: 3EF0C23490420DBBCB14FAA4EC46DFD33AC9F00354B608561BB14D6C93EBB0EA56E6D1
                          Function 000C40DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,000CD729,?,?,?,00000000,00000000), ref: 000C40F6
                          • GetLastError.KERNEL32(?,?,?,000CD729,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000C4100
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000C4124
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorFileLastSize
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\fileutil.cpp
                          • API String ID: 464720113-3288686069
                          • Opcode ID: 0bc1dfdfac4a04663583618268ed696467bf3a5cc393f671bb4cd1b9aec664bb
                          • Instruction ID: 3d1fd8a101db6b869fcfa6e30d590fd681fab120c8ecf32014a6c8f3bc79d48b
                          • Opcode Fuzzy Hash: 0bc1dfdfac4a04663583618268ed696467bf3a5cc393f671bb4cd1b9aec664bb
                          • Instruction Fuzzy Hash: AAF031B6910635ABD7105B458D05A9EFBE8FF14750B054119ED85A7240E2B0AD40C7D1
                          Function 00108338 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35comCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,000C712C,?,00000000,000C712C,?,?,?), ref: 0010835F
                          • CoCreateInstance.OLE32(00000000,00000000,00000001,0012AC0C,?), ref: 00108377
                          Strings
                          • Microsoft.Update.AutoUpdate, xrefs: 0010835A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CreateFromInstanceProg
                          • String ID: Microsoft.Update.AutoUpdate
                          • API String ID: 2151042543-675569418
                          • Opcode ID: 3dac9a173c13337e018dbd75b5ad0a2719fe7388254f90648097d1c89428e99d
                          • Instruction ID: 5b135d29db80b760235ca2f940182b1c16ffbcc640ad4f96d1258d2e0cd54096
                          • Opcode Fuzzy Hash: 3dac9a173c13337e018dbd75b5ad0a2719fe7388254f90648097d1c89428e99d
                          • Instruction Fuzzy Hash: EDF03071600219BBD700DBA9D9059EFBBF8FF49710F400425E501E7190D6B0EA558666
                          Function 000C7F2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000), ref: 000C7F37
                            • Part of subcall function 00105B2D: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,000C7F43,00000000), ref: 00105B3F
                            • Part of subcall function 00105B2D: GetProcAddress.KERNEL32(00000000), ref: 00105B46
                            • Part of subcall function 00105B2D: GetLastError.KERNEL32(?,?,?,000C7F43,00000000), ref: 00105B65
                          Strings
                          • Failed to get native machine value., xrefs: 000C7F49
                          • Failed to set variant value., xrefs: 000C7F6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                          • String ID: Failed to get native machine value.$Failed to set variant value.
                          • API String ID: 896058289-851826934
                          • Opcode ID: ac712dd6753eb6e18c4fed6786b48fb1c75d15919f04aff68fe8fc9d579e6e24
                          • Instruction ID: c4c92ac4ea90ccc43f47effda0d7d28f422184a66f813d432289496c2071e8d7
                          • Opcode Fuzzy Hash: ac712dd6753eb6e18c4fed6786b48fb1c75d15919f04aff68fe8fc9d579e6e24
                          • Instruction Fuzzy Hash: 2FF02772948634B6CB1663649C46EEE36AC9B00760B000129F848E6180DBB5EE41DAA0
                          Function 000C56C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000C56EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2946974095.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                          • Associated: 00000000.00000002.2946912364.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947087091.000000000010E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947170501.000000000012E000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2947219060.0000000000131000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressProc
                          • String ID: AdvApi32.dll$RegDeleteKeyExW
                          • API String ID: 190572456-850864035
                          • Opcode ID: 6d8f6549f3cffcc2b4b68334703df655a14205c33ed0d2d73c5bb1576b44bf0a
                          • Instruction ID: 5641fe4ef341a2822bb57befd45cf7229aa0b17aa33275c9fee3f1fa66199880
                          • Opcode Fuzzy Hash: 6d8f6549f3cffcc2b4b68334703df655a14205c33ed0d2d73c5bb1576b44bf0a
                          • Instruction Fuzzy Hash: C2E0C272A45220EFD7208B21BC44F883AE0B304B06F000A19F042A6EE1E3F168E2CFC4

                          Executed Functions

                          Function 6A415460 Relevance: 44.6, APIs: 1, Strings: 24, Instructions: 876COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 864 6a415460-6a415484 865 6a41548a-6a4154ba call 6a3e5e70 864->865 866 6a41561f-6a415685 ?_Xlength_error@std@@YAXPBD@Z call 6a4dfba4 864->866 871 6a4154c0 865->871 872 6a4155f7-6a4155fd 865->872 875 6a415700-6a415702 866->875 876 6a415687-6a4156fe 866->876 874 6a4154c2-6a4154d7 871->874 877 6a4154d9-6a4154db 874->877 878 6a4154de-6a4154e8 874->878 879 6a415708-6a415731 call 6a4dfba4 875->879 876->879 877->878 880 6a415507-6a41551f 878->880 881 6a4154ea-6a4154ed 878->881 889 6a415733-6a415739 call 6a4164a0 879->889 890 6a415742 879->890 884 6a415521-6a415526 880->884 885 6a41552b-6a415538 880->885 883 6a4154f0-6a4154ff 881->883 883->883 887 6a415501-6a415504 883->887 888 6a4155ec-6a4155f1 884->888 891 6a41553a 885->891 892 6a41553c-6a415542 885->892 887->880 888->872 888->874 899 6a41573e-6a415740 889->899 893 6a415744-6a416123 call 6a41b9d0 call 6a3d0170 * 18 call 6a3cee40 * 2 call 6a4dfba4 call 6a3e5e70 890->893 891->892 894 6a415544 892->894 895 6a415546-6a415557 call 6a3e4fc0 892->895 962 6a416128-6a41613d call 6a414a60 893->962 894->895 903 6a415582-6a41558a 895->903 904 6a415559-6a415560 895->904 899->893 908 6a4155c9-6a4155ea 903->908 909 6a41558c 903->909 906 6a415562-6a415577 904->906 907 6a41557a-6a415580 904->907 906->907 907->888 908->888 911 6a415590-6a4155a0 909->911 913 6a4155a2 911->913 914 6a4155a4-6a4155aa 911->914 913->914 916 6a4155ac 914->916 917 6a4155ae-6a4155bf call 6a3e4fc0 914->917 916->917 922 6a4155c1-6a4155c4 917->922 923 6a415600-6a41561d 917->923 922->911 925 6a4155c6 922->925 923->888 925->908 964 6a416142-6a416156 call 6a4dfa8f 962->964 966 6a41615b-6a41617f call 6a414ec0 964->966 968 6a416184-6a4161a4 call 6a41b9d0 966->968 970 6a4161a9-6a4161cd call 6a414ec0 968->970 972 6a4161d2-6a4161f2 call 6a41b9d0 970->972 974 6a4161f7-6a416214 call 6a414fd0 972->974 976 6a416219-6a416239 call 6a41b9d0 974->976 978 6a41623e-6a41625b call 6a414fd0 976->978 980 6a416260-6a416280 call 6a41b9d0 978->980 982 6a416285-6a41628c call 6a4200e0 980->982 984 6a416291-6a4162b4 call 6a4dfba4 982->984 987 6a4162b6-6a4162c2 call 6a418c60 984->987 988 6a4162c9 984->988 991 6a4162c7 987->991 989 6a4162cb-6a4162e4 988->989 992 6a4162e6-6a4162f4 call 6a3cec60 989->992 993 6a4162f9-6a41633e call 6a41b9d0 989->993 991->989 992->993 997 6a416340-6a416342 993->997 998 6a416346-6a41634e 993->998 997->998 999 6a416350-6a416352 998->999 1000 6a416356-6a41635e 998->1000 999->1000 1001 6a416360-6a416362 1000->1001 1002 6a416366-6a41636e 1000->1002 1001->1002 1003 6a416370-6a416372 1002->1003 1004 6a416376-6a416382 1002->1004 1003->1004 1005 6a416384-6a4163b0 call 6a3cecd0 1004->1005 1006 6a4163ba-6a41646f call 6a4149c0 call 6a4dfbd4 call 6a3cf7a0 1004->1006 1005->1006 1016 6a416471-6a416479 call 6a3d0500 1006->1016 1017 6a41647e-6a41649f call 6a4dfbf0 1006->1017 1016->1017
                          APIs
                          • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(invalid hash bucket count,?,00000000,811C9DC5,?,?,?,6A414E1C,?,?,?,?,?,?,6A4E7A5D), ref: 6A415624
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Xlength_error@std@@
                          • String ID: $#$/$4$_until$arams$ble$eiron$invalid hash bucket count$nabled$nabled$nabled$onds$path$peer$ree$seconds$server_$servers$sting$test.plugins.lab_automation$test.plugins.np_mock$time$url
                          • API String ID: 1004598685-773278480
                          • Opcode ID: b77088abe5cd58dddc79f12b95aef89319161e601efaeb44090b5c67dca9c224
                          • Instruction ID: 74369803aecf285af50c412926ea9f9dd915305a17bc283cdc25ce9d80aa12f8
                          • Opcode Fuzzy Hash: b77088abe5cd58dddc79f12b95aef89319161e601efaeb44090b5c67dca9c224
                          • Instruction Fuzzy Hash: 7BA26E70905399CBEB15DF24C9487E9BBB0AF5A308F2082DDD4586B242DBB19AC5CF91
                          Function 6A412EC0 Relevance: 39.1, APIs: 13, Strings: 9, Instructions: 616networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1462 6a412ec0-6a412f57 call 6a4dfba4 call 6a412790 1467 6a4130db-6a4130e4 1462->1467 1468 6a412f5d 1462->1468 1469 6a413117-6a413133 call 6a4dfbf0 1467->1469 1470 6a4130e6-6a413112 call 6a410960 call 6a40dc50 1467->1470 1471 6a412f60-6a412f6f 1468->1471 1470->1469 1473 6a412f71-6a412f73 1471->1473 1474 6a412f76-6a412f78 1471->1474 1473->1474 1477 6a4130c9-6a4130cf 1474->1477 1478 6a412f7e-6a412f8e memchr 1474->1478 1477->1471 1483 6a4130d5-6a4130d8 1477->1483 1481 6a412f94-6a412f9a 1478->1481 1482 6a4130c6 1478->1482 1481->1482 1484 6a412fa0-6a412fbd 1481->1484 1482->1477 1483->1467 1485 6a412fc3-6a412fd4 1484->1485 1486 6a41313c-6a413269 call 6a3de2e0 call 6a3f8e20 call 6a3f7930 call 6a40a470 call 6a4dfa8f 1484->1486 1487 6a412fd6 1485->1487 1488 6a412fd8-6a41300e call 6a3cee40 1485->1488 1519 6a41326b-6a413279 call 6a3cec60 1486->1519 1520 6a41327e-6a41329e call 6a40d4b0 HttpSendRequestExA 1486->1520 1487->1488 1494 6a413010 1488->1494 1495 6a413012-6a413040 call 6a3cee40 call 6a4109e0 1488->1495 1494->1495 1505 6a413072-6a41308e 1495->1505 1506 6a413042-6a413052 1495->1506 1505->1477 1510 6a413090-6a4130a0 1505->1510 1507 6a413054-6a413062 1506->1507 1508 6a413068-6a41306f call 6a4dfbd4 1506->1508 1507->1508 1511 6a413136 _invalid_parameter_noinfo_noreturn 1507->1511 1508->1505 1514 6a4130a2-6a4130b0 1510->1514 1515 6a4130b6-6a4130c4 call 6a4dfbd4 1510->1515 1511->1486 1514->1511 1514->1515 1515->1477 1519->1520 1525 6a4132a4-6a4132c1 1520->1525 1526 6a41342d-6a41348f GetLastError call 6a40cd30 call 6a3f7bf0 call 6a3ce770 call 6a4095d0 call 6a40a6d0 1520->1526 1531 6a4132c3-6a4132c7 1525->1531 1532 6a413335-6a413352 call 6a40d4b0 HttpEndRequestW 1525->1532 1563 6a413491-6a4134b6 call 6a400440 * 2 call 6a400260 1526->1563 1564 6a4134bb-6a4134ca call 6a3ffc00 1526->1564 1535 6a413316-6a413333 1531->1535 1536 6a4132c9 1531->1536 1543 6a413400-6a41342a call 6a412be0 call 6a4dfbf0 1532->1543 1544 6a413358-6a4133ba GetLastError call 6a40cd30 call 6a3f7bf0 call 6a3ce770 call 6a4095d0 call 6a40a6d0 1532->1544 1535->1531 1535->1532 1539 6a4132d0-6a413306 call 6a40d4b0 InternetWriteFile 1536->1539 1549 6a4134ed-6a41354f GetLastError call 6a40cd30 call 6a3f7bf0 call 6a3ce770 call 6a4095d0 call 6a40a6d0 1539->1549 1550 6a41330c-6a413314 1539->1550 1587 6a4133e6-6a4133fb call 6a3ffc00 1544->1587 1588 6a4133bc-6a4133e1 call 6a400440 * 2 call 6a400260 1544->1588 1592 6a413551-6a413576 call 6a400440 * 2 call 6a400260 1549->1592 1593 6a41357b-6a4135f7 call 6a3ffc00 call 6a4112a0 _CxxThrowException 1549->1593 1550->1535 1550->1539 1563->1564 1576 6a4134d0-6a4134e8 call 6a4112a0 _CxxThrowException 1564->1576 1576->1549 1587->1576 1588->1587 1592->1593 1608 6a4135f9-6a4135fb 1593->1608 1609 6a4135fd-6a413601 1593->1609 1610 6a413605-6a413621 call 6a40d4b0 HttpSendRequestA 1608->1610 1609->1610 1611 6a413603 1609->1611 1614 6a413623-6a413648 call 6a412be0 call 6a4dfbf0 1610->1614 1615 6a41364b-6a4136a4 GetLastError call 6a40cd30 call 6a3f7bf0 call 6a3ce770 call 6a4095d0 call 6a40a6d0 1610->1615 1611->1610 1630 6a4136a6-6a4136c8 call 6a400440 * 2 call 6a400260 1615->1630 1631 6a4136cd-6a4136ff call 6a3ffc00 call 6a4112a0 _CxxThrowException 1615->1631 1630->1631
                          APIs
                            • Part of subcall function 6A4DFBA4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                            • Part of subcall function 6A412EC0: HttpQueryInfoA.WININET(00000000,80000015,?,?,00000000), ref: 6A41283B
                            • Part of subcall function 6A412EC0: GetLastError.KERNEL32 ref: 6A412849
                          • memchr.VCRUNTIME140(?,0000003A,?,00000000), ref: 6A412F82
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 6A413136
                          • HttpSendRequestExA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6A413296
                          • InternetWriteFile.WININET(00000000,?,00000000,?), ref: 6A4132FE
                          • HttpEndRequestW.WININET(00000000,00000000,00000000,00000000), ref: 6A41334A
                          • GetLastError.KERNEL32 ref: 6A413358
                          • GetLastError.KERNEL32 ref: 6A41342D
                          • _CxxThrowException.VCRUNTIME140(?,6A550ED0,?), ref: 6A4134E8
                          • GetLastError.KERNEL32(?,6A550ED0,?), ref: 6A4134ED
                          • _CxxThrowException.VCRUNTIME140(?,6A550ED0,?), ref: 6A4135A8
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 6A413619
                          • GetLastError.KERNEL32(?,?), ref: 6A41364B
                          • _CxxThrowException.VCRUNTIME140(?,6A550ED0,?,?,?,?,?,?,?,?), ref: 6A4136F7
                          Strings
                          • InternetWriteFile failed with error code , xrefs: 6A41350E
                          • read_response: could not determine status code: error , xrefs: 6A412E1D
                          • HttpSendRequestEx failed with error code , xrefs: 6A41344E
                          • nitro::http::request_wininet::send_request, xrefs: 6A4133BC, 6A413491, 6A413551, 6A4136A6
                          • nitro::http::request_wininet::read_response, xrefs: 6A412C88, 6A412E5D
                          • failed to read response: error code , xrefs: 6A412B52
                          • HttpSendRequest failed with error code , xrefs: 6A413666
                          • Content-Length: , xrefs: 6A4131CB
                          • HttpEndRequest failed with error code , xrefs: 6A413379
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLast$Http$ExceptionRequestThrow$Send$FileInfoInternetQueryWrite_invalid_parameter_noinfo_noreturnmallocmemchr
                          • String ID: Content-Length: $HttpEndRequest failed with error code $HttpSendRequest failed with error code $HttpSendRequestEx failed with error code $InternetWriteFile failed with error code $failed to read response: error code $nitro::http::request_wininet::read_response$nitro::http::request_wininet::send_request$read_response: could not determine status code: error
                          • API String ID: 2462558538-3830616522
                          • Opcode ID: 2b88f9f33765b765af16c682e1293f0209041b9e041c3640fdc95a81673faedb
                          • Instruction ID: 941c874d10a7ba3627815693435c44fc605db191474da304ac0102c995ad5112
                          • Opcode Fuzzy Hash: 2b88f9f33765b765af16c682e1293f0209041b9e041c3640fdc95a81673faedb
                          • Instruction Fuzzy Hash: B732D371A002589BDB20DFA4CC48FEEBBB8FF45308F114599E529A7281DF74AE44CB91
                          Function 6A4194D0 Relevance: 26.9, APIs: 8, Strings: 7, Instructions: 613COMMON
                          Download Yara Rule
                          APIs
                          • memset.VCRUNTIME140(?,00000000,00000040,?,?,?,?,cohorts,?,?,?,?,00000000), ref: 6A41985A
                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,?,?,?,?,cohorts,?,?,?,?,00000000), ref: 6A4198C4
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000), ref: 6A419AE9
                            • Part of subcall function 6A41A010: __std_type_info_name.VCRUNTIME140(00000001,6A564610,5574176C,?,Function_00162060,000000FF,?,6A419AF9,?,?,?,00000000), ref: 6A41A03B
                            • Part of subcall function 6A418CE0: memmove.VCRUNTIME140(00000000,7AE8FFFF,?,00000000,?,811C9DC5), ref: 6A418D87
                            • Part of subcall function 6A425690: __std_exception_copy.VCRUNTIME140(?,?,?,Missing value of type '{}' at '{}'), ref: 6A42574F
                          • _CxxThrowException.VCRUNTIME140(?,6A5526E0,?,?,?,?,?,?,?,00000000), ref: 6A419B22
                          • _CxxThrowException.VCRUNTIME140(?,6A5526E0,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6A419B61
                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A419C7D
                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A419CE1
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,?,00000000,00000000,5574176C,00000000), ref: 6A419D3E
                            • Part of subcall function 6A425CB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(6A416EC0,5574176C,00000000,00000000,6A4F2FAC,00000000,6A4E9400,000000FF,?,6A4199D1,00000000), ref: 6A425D1C
                            • Part of subcall function 6A416710: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,5574176C,?,00000000,?,00000000,6A4E7B10,000000FF), ref: 6A4167D9
                            • Part of subcall function 6A416820: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(5574176C,00000000,0000000C,00000000,Function_00162AB0,000000FF), ref: 6A4168B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo_noreturn$ExceptionThrow___std_fs_convert_narrow_to_wide@20free$__std_exception_copy__std_type_info_namemallocmemmovememset
                          • String ID: $0Oj$@$cohorts$experiments$pdTj$pdTj$values
                          • API String ID: 3310216540-1406296197
                          • Opcode ID: 879ec941dd43e64407401d2ac67c0029a69d9fb473c77812fda253a17d14559a
                          • Instruction ID: cff7a58cfebb90c0fed3ad7c05ed681ce3d7f6d637484c5db0804e62fde6a30a
                          • Opcode Fuzzy Hash: 879ec941dd43e64407401d2ac67c0029a69d9fb473c77812fda253a17d14559a
                          • Instruction Fuzzy Hash: 3C426E71C04259DADB21CFA4CC98FEEB7B8AF05304F10419AD529A3252EF756B84CFA1
                          Function 6A40C340 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 380fileCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,?,00000000), ref: 6A40C418
                          • memset.VCRUNTIME140(00000000,00000000), ref: 6A40C479
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000000), ref: 6A40C4A8
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6A40C50E
                          • DeviceIoControl.KERNEL32(000000FF,95358204,?,?), ref: 6A40C547
                          • CloseHandle.KERNEL32(000000FF), ref: 6A40C554
                          • std::_Xregex_error.LIBCPMT ref: 6A40C648
                          • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6A40C710
                            • Part of subcall function 6A3CEE40: memmove.VCRUNTIME140(?,?,00000000,00000001,?,?,?,6A3E2666,00000000,00000001), ref: 6A3CEE6A
                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6A40C76E
                          Strings
                          • Failed writing to file , xrefs: 6A40C791
                          • get_next_capacity, allocator's max size reached, xrefs: 6A40C643
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$CloseControlDeviceHandleXregex_error_errno_invalid_parameter_noinfo_noreturnfwritememmovememsetstd::_
                          • String ID: Failed writing to file $get_next_capacity, allocator's max size reached
                          • API String ID: 3833961994-3100589897
                          • Opcode ID: 9a48697068894ba6e55e152979c190f8a91ffe96a39b1c1881e6070ac41c8ae3
                          • Instruction ID: 08293763b5645f54cac56c1857122bceb38409ea9d442f965132d50491099180
                          • Opcode Fuzzy Hash: 9a48697068894ba6e55e152979c190f8a91ffe96a39b1c1881e6070ac41c8ae3
                          • Instruction Fuzzy Hash: 30E19D71900219DBDB24CF58CC94FEEBBB5FF49315F1041A9E529A7680DB30AA84DFA1
                          Function 6A40A760 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 308fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1853 6a40a760-6a40a798 _Mtx_lock 1854 6a40a7ca-6a40a817 ?_Throw_C_error@std@@YAXH@Z 1853->1854 1855 6a40a79a-6a40a7a4 call 6a40c340 1853->1855 1856 6a40a8e9-6a40a904 call 6a4dfbf0 1854->1856 1857 6a40a81d-6a40a831 _Mtx_lock 1854->1857 1859 6a40a7a7-6a40a7c7 _Mtx_unlock 1855->1859 1860 6a40a907-6a40a908 ?_Throw_C_error@std@@YAXH@Z 1857->1860 1861 6a40a837-6a40a89e WriteFile 1857->1861 1863 6a40a90d-6a40a978 GetLastError call 6a40cd30 call 6a3f7bf0 call 6a40ccd0 1860->1863 1861->1863 1867 6a40a8a0-6a40a8c8 fflush 1861->1867 1875 6a40ab24-6a40ab3f call 6a4dfbf0 1863->1875 1876 6a40a97e-6a40a981 1863->1876 1869 6a40a8d9-6a40a8e6 _Mtx_unlock 1867->1869 1870 6a40a8ca-6a40a8d4 call 6a3cec60 1867->1870 1869->1856 1870->1869 1876->1875 1878 6a40a987-6a40a99b _Mtx_lock 1876->1878 1880 6a40a9a1-6a40a9e8 1878->1880 1881 6a40ab42-6a40ab48 ?_Throw_C_error@std@@YAXH@Z 1878->1881 1883 6a40a9ee-6a40a9f4 1880->1883 1884 6a40aabf-6a40aae1 WriteFile 1880->1884 1883->1884 1885 6a40a9fa-6a40a9fc 1883->1885 1886 6a40aae7-6a40ab03 1884->1886 1887 6a40aa12-6a40aa2f GetConsoleScreenBufferInfo 1885->1887 1888 6a40a9fe-6a40aa0c WriteConsoleA 1885->1888 1889 6a40ab14-6a40ab21 _Mtx_unlock 1886->1889 1890 6a40ab05-6a40ab0f call 6a3cec60 1886->1890 1891 6a40aa31-6a40aa3b 1887->1891 1892 6a40aa3d-6a40aa5f SetConsoleTextAttribute 1887->1892 1888->1887 1889->1875 1890->1889 1894 6a40aa65-6a40aa6d 1891->1894 1892->1894 1895 6a40aa88-6a40aaa2 SetConsoleTextAttribute 1894->1895 1896 6a40aa6f-6a40aa82 WriteConsoleA 1894->1896 1895->1886 1897 6a40aaa4-6a40aabd WriteConsoleA 1895->1897 1896->1895 1897->1886
                          APIs
                          • _Mtx_lock.MSVCP140(?,5574176C,?,?,?,?,6A4E5C0D,000000FF), ref: 6A40A78E
                          • _Mtx_unlock.MSVCP140(?), ref: 6A40A7AF
                          • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 6A40A7CB
                          • _Mtx_lock.MSVCP140(?,5574176C,?,?), ref: 6A40A827
                          • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 6A40A896
                          • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6A40A8A3
                          • _Mtx_unlock.MSVCP140(?), ref: 6A40A8E1
                          Strings
                          • stdout_sink_base: WriteFile() failed. GetLastError(): , xrefs: 6A40A92A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Mtx_lockMtx_unlock$C_error@std@@FileThrow_Writefflush
                          • String ID: stdout_sink_base: WriteFile() failed. GetLastError():
                          • API String ID: 1909936328-4275763312
                          • Opcode ID: c550dee18afa3fd5139e0344fe13dd7eee551bb3eee57a9007e29e6c6afdcb80
                          • Instruction ID: b6a92bad47b063f614826a1ac4615d093e4ea85dd513ae39c01d71e1b4b69d33
                          • Opcode Fuzzy Hash: c550dee18afa3fd5139e0344fe13dd7eee551bb3eee57a9007e29e6c6afdcb80
                          • Instruction Fuzzy Hash: 8BB180B1900219AFDB14DF54CC44FEABBB8FF09314F1041AAE919A3641DB75AE54CFA1
                          Function 6A4DF8E0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1962 6a4df8e0-6a4df8f2 call 6a4e0e6f 1965 6a4df8f8-6a4df913 #2184 #2408 1962->1965 1966 6a4df9c6-6a4df9c8 1962->1966 1969 6a4df91f-6a4df92b call 6a4dfa86 1965->1969 1970 6a4df915-6a4df91a #2410 1965->1970 1967 6a4dfa28-6a4dfa2d 1966->1967 1968 6a4df9ca-6a4df9e2 #2365 call 6a4dfa86 1966->1968 1972 6a4dfa2f-6a4dfa56 #324 #2300 #2399 #2376 #1052 1967->1972 1973 6a4dfa5b-6a4dfa5d 1967->1973 1981 6a4df9f5-6a4dfa19 #2300 #2399 #2410 #2374 1968->1981 1982 6a4df9e4-6a4df9f1 1968->1982 1979 6a4df92d-6a4df940 1969->1979 1980 6a4df955-6a4df976 #2268 call 6a4dfa66 1969->1980 1974 6a4df9b4-6a4df9c1 #2365 1970->1974 1972->1973 1977 6a4dfa5e-6a4dfa63 call 6a4e0e28 1973->1977 1974->1977 1979->1980 1993 6a4df942-6a4df953 1979->1993 1990 6a4df978-6a4df97c #485 1980->1990 1991 6a4df981-6a4df984 1980->1991 1981->1973 1985 6a4dfa1b-6a4dfa26 #2365 1981->1985 1982->1981 1985->1973 1990->1991 1991->1974 1993->1970
                          APIs
                          • __EH_prolog3_catch.LIBCMT ref: 6A4DF8E7
                          • #2184.MFC140U(00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007,6A554088,00000010), ref: 6A4DF8FD
                          • #2408.MFC140U(?,00000000,6A4EF738,00000000,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0), ref: 6A4DF90C
                          • #2410.MFC140U(?,6A4E0432,?,00000001,?,?,00000001,?,6A5540B0,0000000C,6A4E052B,?,00000001,?), ref: 6A4DF915
                          • #2268.MFC140U(6A5644FC,?,?,00000000,6A4EF738,00000000,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001), ref: 6A4DF95E
                          • #485.MFC140U(6A5644FC,00000000,00000040,6A5644FC,?,?,00000000,6A4EF738,00000000,00000018,6A4E0449,?,00000001,00000000,?,00000001), ref: 6A4DF97C
                          • #2365.MFC140U(00000040,6A5644FC,?,?,00000000,6A4EF738,00000000,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?), ref: 6A4DF9BA
                          • #2365.MFC140U(hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007,6A554088), ref: 6A4DF9CF
                          • #2300.MFC140U(hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007,6A554088), ref: 6A4DF9F5
                          • #2399.MFC140U(000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007), ref: 6A4DF9FC
                          • #2410.MFC140U(000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007), ref: 6A4DFA01
                          • #2374.MFC140U(6A5644FC,00000001,000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0), ref: 6A4DFA0D
                          • #2365.MFC140U(6A5644FC,00000001,000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0), ref: 6A4DFA21
                          • #324.MFC140U(hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007,6A554088), ref: 6A4DFA37
                          • #2300.MFC140U(hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007,6A554088), ref: 6A4DFA3F
                          • #2399.MFC140U(000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C,00000007), ref: 6A4DFA46
                          • #2376.MFC140U(?,000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C), ref: 6A4DFA4E
                          • #1052.MFC140U(?,000000FF,hdTj,00000018,6A4E0449,?,00000001,00000000,?,00000001,00000000,?,00000001,00000000,6A5540B0,0000000C), ref: 6A4DFA56
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: #2365$#2300#2399#2410$#1052#2184#2268#2374#2376#2408#324#485H_prolog3_catch
                          • String ID: hdTj
                          • API String ID: 147726984-3820516122
                          • Opcode ID: a1261b7a510538007813918f661be2d1e88d1d7f6545d1db95c625f861543b60
                          • Instruction ID: 751f7c929d1292fcaf1fec701457d932350fbc23e66b616feb9faaf799c9bce5
                          • Opcode Fuzzy Hash: a1261b7a510538007813918f661be2d1e88d1d7f6545d1db95c625f861543b60
                          • Instruction Fuzzy Hash: 8B31C530A81100EBCB11BB788D6CE6D36F17F6635AB020069D532EB372DF748A8186A1
                          Function 6CBF163E Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 233libraryloaderfileCOMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,?,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF1667
                          • SetErrorMode.KERNEL32(00000000,?,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF167E
                          • GetProcAddress.KERNEL32(?,CLRCreateInstance), ref: 6CBF16A6
                          • SHCreateStreamOnFileEx.SHLWAPI(?,00000020,00000000,00000000,00000000,?,?,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF16F5
                          • CompareStringW.KERNEL32(00000000,00000000,v4.0.30319,000000FF,?,?,?,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF179C
                          • GetProcAddress.KERNEL32(?,CorBindToCurrentRuntime), ref: 6CBF180B
                          • GetLastError.KERNEL32(?,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF1811
                          • FreeLibrary.KERNEL32(?,?,00000000,?,BootstrapperCore.config,00000000), ref: 6CBF18BD
                          • SetErrorMode.KERNEL32(00000000,?,00000000,?,BootstrapperCore.config,00000000), ref: 6CBF18C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Error$Mode$AddressProc$CompareCreateFileFreeLastLibraryStreamString
                          • String ID: 0!$CLRCreateInstance$CorBindToCurrentRuntime$c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp$mscoree.dll$v4.0.30319
                          • API String ID: 3217175720-3745671801
                          • Opcode ID: e43ac4f8862e17e10cfcebcb1091e71d6b5b8f907335ea6fafaa655c43de197e
                          • Instruction ID: 63da8604a15a488061d58d96979a542ff02b408cd764293d4fccbd0e5f6e0afb
                          • Opcode Fuzzy Hash: e43ac4f8862e17e10cfcebcb1091e71d6b5b8f907335ea6fafaa655c43de197e
                          • Instruction Fuzzy Hash: B071B1B1E01169BBDB11CB95C844EDEBBB8EF45715F094A59E820BB710D731D906CBA0
                          Function 6CBF2EDF Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,6CBF10B0,?,?,00000000,00000000,6CBF14A0,00000000), ref: 6CBF2EF9
                          • GetLastError.KERNEL32(?,?,?,6CBF10B0,?,?,00000000,00000000,6CBF14A0,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF2F05
                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF2F45
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CBF2F51
                          • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 6CBF2F5C
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6CBF2F66
                          • CoCreateInstance.OLE32(6CC1093C,00000000,00000001,6CC08260,?,?,?,?,6CBF10B0,?,?,00000000,00000000,6CBF14A0,00000000,?), ref: 6CBF2FA1
                          • ExitProcess.KERNEL32 ref: 6CBF3050
                          Strings
                          • Wow64RevertWow64FsRedirection, xrefs: 6CBF2F5E
                          • Wow64DisableWow64FsRedirection, xrefs: 6CBF2F4B
                          • IsWow64Process, xrefs: 6CBF2F3F
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 6CBF2F29
                          • kernel32.dll, xrefs: 6CBF2EE9
                          • Wow64EnableWow64FsRedirection, xrefs: 6CBF2F53
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                          • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp$kernel32.dll
                          • API String ID: 2124981135-3450629486
                          • Opcode ID: f251f7cc6f04fabeec584c9ec1d574396b6f75b95ac4dc0660d1399643f59465
                          • Instruction ID: e6ea920e7cd4630ef4cc9c0eef43012fad8797ee042744bc153ba2b60ee49002
                          • Opcode Fuzzy Hash: f251f7cc6f04fabeec584c9ec1d574396b6f75b95ac4dc0660d1399643f59465
                          • Instruction Fuzzy Hash: 47412871B01695ABEF109BB9C854F9EB7B8EF04744F11846AE910EBB40D731CD06CB92
                          Function 6A401750 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 114COMMON
                          Download Yara Rule
                          APIs
                          • memset.VCRUNTIME140(?,00000000,00000408), ref: 6A40178A
                          • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 6A4017A1
                          • PathAppendW.SHLWAPI(?,Nitro), ref: 6A4017CF
                          • PathAppendW.SHLWAPI(?,PDF Pro), ref: 6A4017DD
                          • PathAppendW.SHLWAPI(?,6A4F1178), ref: 6A4017EB
                          • memset.VCRUNTIME140(?,00000000,00000208,?,00000000,?,?), ref: 6A401836
                          • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 6A401855
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Path$Append$memset$FolderNameShort
                          • String ID: DirectoryCreateRecursively: empty path$DirectoryExists: empty path$Nitro$PDF Pro$get_next_capacity, allocator's max size reached
                          • API String ID: 4168097778-2027120104
                          • Opcode ID: e6fef466db8e2a9668c06eb760bc3012516157965c5a0101106bf3a4edb91b0a
                          • Instruction ID: 95682e9f79c769841970c381bfc5ff03b9889f4a823d4c4e4a22bd58d04adec7
                          • Opcode Fuzzy Hash: e6fef466db8e2a9668c06eb760bc3012516157965c5a0101106bf3a4edb91b0a
                          • Instruction Fuzzy Hash: F0312271A00208ABCB14DF68CC48FEAB3B9FF85344F0401A9E915D7241EF30AA55DBB1
                          Function 6A40FFC0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 206networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(Nitro 14.29.1.0,00000000,00000000,00000000,00000000), ref: 6A4100B5
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 6A410121
                          • GetLastError.KERNEL32(?,?,?,00000000,?,00000008), ref: 6A41015B
                          • GetLastError.KERNEL32(?,?,?,00000000,?,00000008), ref: 6A410209
                          • _CxxThrowException.VCRUNTIME140(?,6A550ED0,00000000,?,?,?,?,?,?,?,00000000,?,00000008), ref: 6A410252
                          Strings
                          • Nitro 14.29.1.0, xrefs: 6A4100A9
                          • connection_wininet: InternetOpen failed: error , xrefs: 6A410221
                          • creating connection to , xrefs: 6A410068
                          • connection_wininet: InternetConnect failed: error , xrefs: 6A410173
                          • nitro::http::connection_wininet::connection_wininet, xrefs: 6A41004C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorInternetLast$ConnectExceptionOpenThrow
                          • String ID: Nitro 14.29.1.0$connection_wininet: InternetConnect failed: error $connection_wininet: InternetOpen failed: error $creating connection to $nitro::http::connection_wininet::connection_wininet
                          • API String ID: 3479136341-3975291617
                          • Opcode ID: f08923f9eed4c0fd980f9295c23c828f0a2d3431d27f6fc0f20b60b37f85065a
                          • Instruction ID: 5ee8dc6cc0896b787555b3830ba5635cb1b5403317023b750c3d9257165d4386
                          • Opcode Fuzzy Hash: f08923f9eed4c0fd980f9295c23c828f0a2d3431d27f6fc0f20b60b37f85065a
                          • Instruction Fuzzy Hash: D271B371904258AEDF11DBA4CC4CFDEBBB8AF51308F1145A9E529A3282DF746F44CBA1
                          Function 6A4250F0 Relevance: 16.6, APIs: 11, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(5574176C,?,0000000C), ref: 6A425133
                          • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000038,00000000,00000000,5574176C,?,0000000C), ref: 6A425151
                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 6A42517B
                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 6A425195
                          • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000040,00000001,00000000), ref: 6A4251D5
                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 6A4251F1
                          • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000000,00000001), ref: 6A425219
                          • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?), ref: 6A42525E
                          • ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140 ref: 6A425275
                          • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 6A42528D
                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000), ref: 6A4252B8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
                          • String ID:
                          • API String ID: 2682282330-0
                          • Opcode ID: 776eeaff989b09f7e6749c5fa49bc9a2cd857249310ba8705e7336ae4d7132e9
                          • Instruction ID: ea110edbb8cae9cd322df20b0af9c7aeaecbb72d5d40f80092341ce7666eba46
                          • Opcode Fuzzy Hash: 776eeaff989b09f7e6749c5fa49bc9a2cd857249310ba8705e7336ae4d7132e9
                          • Instruction Fuzzy Hash: E1513BB4600646EFEB10DF68C988BA9BBF4FF49305F04452AE815C7781DB75A914CFA1
                          Function 6A41F210 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(5574176C), ref: 6A41F24D
                          • OpenProcessToken.ADVAPI32(00000000,00020008,?), ref: 6A41F26A
                          • GetLastError.KERNEL32(device: OpenProcessToken failed: ), ref: 6A41F2AE
                          • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 6A41F30B
                          • GetLastError.KERNEL32(device: GetTokenInformation failed: ), ref: 6A41F34C
                          • GetLengthSid.ADVAPI32(?), ref: 6A41F38A
                          • memmove.VCRUNTIME140(00000000,?,00000000,00000000), ref: 6A41F39D
                            • Part of subcall function 6A41E890: CloseHandle.KERNEL32(?,5574176C,?,?,?,?,?,6A4E8820,000000FF), ref: 6A41E8CA
                          Strings
                          • device: GetTokenInformation failed: , xrefs: 6A41F33A
                          • device: OpenProcessToken failed: , xrefs: 6A41F29C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ErrorLastProcessToken$CloseCurrentHandleInformationLengthOpenmemmove
                          • String ID: device: GetTokenInformation failed: $device: OpenProcessToken failed:
                          • API String ID: 2312845398-4227612482
                          • Opcode ID: 56870f921529dc3cc49a2a8a444fae007e94cc73fd826ba6dbdf97e45c26d524
                          • Instruction ID: 06cd81f6771a9072eab48031cedaaab3e7791e2378b28229e169ee7fafde9b00
                          • Opcode Fuzzy Hash: 56870f921529dc3cc49a2a8a444fae007e94cc73fd826ba6dbdf97e45c26d524
                          • Instruction Fuzzy Hash: 12412D759052189BDF20DF64CC8CFA9BBB8BF05308F0141A9E919A7282DF755E49CB91
                          Function 6CBF122B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 6CBF123D
                          • SysAllocString.OLEAUT32(BootstrapperCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=ce35f76fcda82bad), ref: 6CBF124E
                          • SysAllocString.OLEAUT32(Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperApplicationFactory), ref: 6CBF126D
                          • VariantClear.OLEAUT32(?), ref: 6CBF12FA
                          • SysFreeString.OLEAUT32(00000000), ref: 6CBF1316
                          • SysFreeString.OLEAUT32(00000000), ref: 6CBF1321
                          Strings
                          • Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperApplicationFactory, xrefs: 6CBF1268
                          • c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp, xrefs: 6CBF12EC
                          • BootstrapperCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=ce35f76fcda82bad, xrefs: 6CBF1249
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFreeVariant$ClearInit
                          • String ID: BootstrapperCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=ce35f76fcda82bad$Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperApplicationFactory$c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp
                          • API String ID: 2225245433-1907023637
                          • Opcode ID: 00a72d8347777667845400ae25526244bf9d446092657ce61188f7bd3ae5f6a8
                          • Instruction ID: f4bf43e7612df9ef98872cf60b6166b76d151dbe246995f0466bda22c2de4470
                          • Opcode Fuzzy Hash: 00a72d8347777667845400ae25526244bf9d446092657ce61188f7bd3ae5f6a8
                          • Instruction Fuzzy Hash: 283124B5B40299BBDB10CAE8C848E9B3BBCEF45314B194929F814EB740DA70CD09C7A0
                          Function 6A3F2AB0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 275COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A3EB710: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A3EB7A0
                            • Part of subcall function 6A3EB710: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A3EB7E8
                            • Part of subcall function 6A3DB610: memmove.VCRUNTIME140(?,00000000,00000010,00000000,?,?,6A40F5DF,?,5574176C,00000000,00000000,?), ref: 6A3DB65A
                            • Part of subcall function 6A421950: _wgetenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(NITRO_DATA_FOLDER,5574176C), ref: 6A42198B
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6A3F2CB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ___std_fs_convert_narrow_to_wide@20$_invalid_parameter_noinfo_noreturn_wgetenvmemmove
                          • String ID: O$ab.json$configuration.json$experiments$https://desktop.gonitro.com$https://desktop.gonitrodev.com$server
                          • API String ID: 3607146090-2700645247
                          • Opcode ID: f7474afb6b9aa939f5f0298acecc7be3145fac5fb8422e622b78a26bafc8a07b
                          • Instruction ID: cdee23261f4bd9a890c3b06aab904fa613eee819bee39c4e0ba16db28b009cbc
                          • Opcode Fuzzy Hash: f7474afb6b9aa939f5f0298acecc7be3145fac5fb8422e622b78a26bafc8a07b
                          • Instruction Fuzzy Hash: 9CC1AE70C14298DEEB11CFA4CD48BDDBBB5FF45304F108589E449A7292DB745A89CFA2
                          Function 6A3F7F20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 123COMMON
                          Download Yara Rule
                          APIs
                          • iswalpha.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000,?), ref: 6A3F7F72
                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000,?), ref: 6A3F7F9D
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 6A3F7FBB
                          • GetLastError.KERNEL32 ref: 6A3F7FC9
                          • _CxxThrowException.VCRUNTIME140(?,6A550ED0,DirectoryExists: empty path,00000000,00000000,?), ref: 6A3F8077
                          Strings
                          • DirectoryExists: empty path, xrefs: 6A3F804A
                          • DirectoryCreateRecursively: cannot create directory, xrefs: 6A3F8061
                          • DirectoryCreate: empty path, xrefs: 6A3F8043
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AttributesCreateDirectoryErrorExceptionFileLastThrowiswalpha
                          • String ID: DirectoryCreate: empty path$DirectoryCreateRecursively: cannot create directory$DirectoryExists: empty path
                          • API String ID: 3105388156-3616752010
                          • Opcode ID: 2231ed9b7950b8a5c064b8ae8d30e9faed7033403fc2f3aa937aac5d8e13323c
                          • Instruction ID: f56203ba2cd529b854bb87e58acfb9e7943991a43f95c443e572ab7b4f840b96
                          • Opcode Fuzzy Hash: 2231ed9b7950b8a5c064b8ae8d30e9faed7033403fc2f3aa937aac5d8e13323c
                          • Instruction Fuzzy Hash: 59417D70A1020AAFCF18CF69C840DAEB7B5FF45354F51886AE825E7241EF32D942CB61
                          Function 6A3D0170 Relevance: 13.8, APIs: 9, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A4DFBA4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,00000001), ref: 6A3D01A0
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo_noreturnmalloc
                          • String ID:
                          • API String ID: 1104909994-0
                          • Opcode ID: fe56f2b7b94abbe3f414319156a12cd62c553196860c818496152c97c7e9e736
                          • Instruction ID: cde7fce4e3ed405c53c96bee4cccf7cda6ebe201fdb6849ff468fddeb7c143b7
                          • Opcode Fuzzy Hash: fe56f2b7b94abbe3f414319156a12cd62c553196860c818496152c97c7e9e736
                          • Instruction Fuzzy Hash: 8481C572600204DFD714DF68D89499EB7A9FF56720F10422EF86AC73A1DF719A50C7A1
                          Function 6A409970 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 221COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A409970: memset.VCRUNTIME140(?,00000000,00000408), ref: 6A4096C2
                            • Part of subcall function 6A409970: SHGetFolderPathW.SHELL32(00000000,00000028,00000000,00000000,?), ref: 6A4096D9
                            • Part of subcall function 6A409970: GetFileAttributesW.KERNEL32(?,\.nitro\test,0000000C,?,?), ref: 6A4097A8
                          • memset.VCRUNTIME140(?,00000000,00000208,?,5574176C,?,?), ref: 6A4099DC
                            • Part of subcall function 6A3F7E00: memmove.VCRUNTIME140(?,00000000,00000000,?,5574176C,?,?), ref: 6A3F7EC3
                          • GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,?,?,5574176C,?,?), ref: 6A409B8B
                            • Part of subcall function 6A3EB710: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A3EB7A0
                            • Part of subcall function 6A3EB710: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A3EB7E8
                            • Part of subcall function 6A3DE480: memmove.VCRUNTIME140(?,?,00000000,?,6A3DF6CE,?,?,?,?,?,?,?), ref: 6A3DE58C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ___std_fs_convert_narrow_to_wide@20memmovememset$AttributesCurrentFileFolderPathProcess
                          • String ID: -bugsplat$.log$DirectoryExists: empty path$USERPROFILE$\.nitro\test
                          • API String ID: 2399948096-3244002384
                          • Opcode ID: 9d41f8da6e14b5e2f98bb9fad0c3192382a1dee71890c15a24ff7391baafda85
                          • Instruction ID: a97f201751d6746c60a378376957d0f796fcd56a380300fe033fa9aa1cd7ec39
                          • Opcode Fuzzy Hash: 9d41f8da6e14b5e2f98bb9fad0c3192382a1dee71890c15a24ff7391baafda85
                          • Instruction Fuzzy Hash: C6A13571D14228EADB21DB54CC9CBDEBBB9FB04304F1006D9E459A3292DB755B84DFA0
                          Function 6CBF142B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 196memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6CBF2115: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,00000000,?,?,?,6CBF1453,?), ref: 6CBF2136
                          • SysAllocString.OLEAUT32(?), ref: 6CBF1535
                          • SysAllocString.OLEAUT32(00000000), ref: 6CBF1577
                          • SysFreeString.OLEAUT32(00000000), ref: 6CBF15EF
                          • SysFreeString.OLEAUT32(?), ref: 6CBF15F8
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: String$AllocFree$FileModuleName
                          • String ID: BootstrapperCore.config$MBA$c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp
                          • API String ID: 1371041548-1403730670
                          • Opcode ID: 2d5819e8b9aa972f2e96dd94414c04df6f5baa8cbdaa9fef525949f4fd46b7a4
                          • Instruction ID: c8ff38fd1ffb71f13666891bbbd04580ece8f96e0d20fdee10b5ecf01e29bf7d
                          • Opcode Fuzzy Hash: 2d5819e8b9aa972f2e96dd94414c04df6f5baa8cbdaa9fef525949f4fd46b7a4
                          • Instruction Fuzzy Hash: 5151D4B1E015A6AFDF12CB94C844EAE7BB4EF44714F194655E921BB750DB30CD0ACB90
                          Function 6A414310 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetCrackUrlA.WININET(6A410098,22546800,00000000,0000003C), ref: 6A4143AE
                          • memmove.VCRUNTIME140(?,?,FFFFFFFF), ref: 6A414400
                          • memmove.VCRUNTIME140(00000000,?,?,0000000100000000), ref: 6A414449
                          • GetLastError.KERNEL32 ref: 6A4144C6
                          • _CxxThrowException.VCRUNTIME140(?,6A551D48,00000000), ref: 6A414534
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: memmove$CrackErrorExceptionInternetLastThrow
                          • String ID: ): $parse_url: error (
                          • API String ID: 1999285957-167584429
                          • Opcode ID: af801414383bab41eea5a028d86d92468eb6b92a65de178e4b3005a342e99d14
                          • Instruction ID: ae1940bca630dbb511c4cb2fd5fe6112a98417b2c18e7607f6a6eddf36cdb210
                          • Opcode Fuzzy Hash: af801414383bab41eea5a028d86d92468eb6b92a65de178e4b3005a342e99d14
                          • Instruction Fuzzy Hash: 6C515071D04259DBDB20CF64CC44FAEBBB8BF45314F21479AE469A7281DB74AA80CF91
                          Function 6A3D16D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 129COMMON
                          Download Yara Rule
                          APIs
                          • #321.MFC140U(5574176C), ref: 6A3D1725
                          • #324.MFC140U(00000000,5574176C), ref: 6A3D1741
                          • ??1handler@metrics@nitro@@UAE@XZ.METRICS(?,?,?,?), ref: 6A3D1865
                          • #1052.MFC140U(?,?,?,?), ref: 6A3D1880
                          • #2396.MFC140U(?,?,?,?), ref: 6A3D188C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: #1052#2396#321#324??1handler@metrics@nitro@@
                          • String ID: from bootstrapper$Logging event
                          • API String ID: 3330822897-1131588823
                          • Opcode ID: bf1b90a06f5fbf8cb5230f35dd6ec3f75be2a6f20589cc3959296547168a1c63
                          • Instruction ID: 89a5e424480dbf810df81f11ee94915ef0f9c1485e468d4c20ede2b2061287b7
                          • Opcode Fuzzy Hash: bf1b90a06f5fbf8cb5230f35dd6ec3f75be2a6f20589cc3959296547168a1c63
                          • Instruction Fuzzy Hash: 1A518C71901258EADF10DBA4CD98BDDB7B8AF18318F1141E9E819A3291EF356F44CBA1
                          Function 6CBF1070 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 153registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6CBF31FF: CoInitialize.OLE32(00000000), ref: 6CBF320E
                            • Part of subcall function 6CBF31FF: CLSIDFromProgID.OLE32(Msxml2.DOMDocument,6CC1093C,00000000,00000000,6CBF109A,00000000,00000000,6CBF14A0,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF3246
                            • Part of subcall function 6CBF31FF: CLSIDFromProgID.OLE32(MSXML.DOMDocument,6CC1093C,?,?), ref: 6CBF3252
                          • RegCloseKey.ADVAPI32(?,00000000,00000000,6CBF14A0,00000000,?,BootstrapperCore.config,00000000,?,?), ref: 6CBF11D4
                            • Part of subcall function 6CBF3500: VariantInit.OLEAUT32(?), ref: 6CBF350C
                            • Part of subcall function 6CBF3500: SysAllocString.OLEAUT32(?), ref: 6CBF351C
                            • Part of subcall function 6CBF3500: VariantClear.OLEAUT32(?), ref: 6CBF3558
                          Strings
                          • c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp, xrefs: 6CBF1199
                          • version, xrefs: 6CBF10FB
                          • /configuration/wix.bootstrapper/host/supportedFramework, xrefs: 6CBF10BE
                          • Install, xrefs: 6CBF114E
                          • SOFTWARE\Microsoft\NET Framework Setup\NDP\%ls, xrefs: 6CBF1118
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: FromProgVariant$AllocClearCloseInitInitializeString
                          • String ID: /configuration/wix.bootstrapper/host/supportedFramework$Install$SOFTWARE\Microsoft\NET Framework Setup\NDP\%ls$c:\agent\_work\35\s\wix\src\ext\balextension\mba\host\host.cpp$version
                          • API String ID: 3220102618-3662383286
                          • Opcode ID: c3dc11dc951b9c12198da74e54073d6c8e4cabc95cf638bab5f1a55b10bb48ee
                          • Instruction ID: 163eb811ed2e44060ea2dd1bc1a7e706ac3c006f4cd13f851a9f869c9a108fed
                          • Opcode Fuzzy Hash: c3dc11dc951b9c12198da74e54073d6c8e4cabc95cf638bab5f1a55b10bb48ee
                          • Instruction Fuzzy Hash: 3A5151B5D4165AABDF11CB95C800DEEBBB8EF45704B14456AE920B7710D731CE0ACBA1
                          Function 6A4E0329 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __RTC_Initialize.LIBCMT ref: 6A4E0370
                          • ___scrt_uninitialize_crt.LIBCMT ref: 6A4E038A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Initialize___scrt_uninitialize_crt
                          • String ID:
                          • API String ID: 2442719207-0
                          • Opcode ID: 80937fea7e95905c54f146a0f388e4375329104f96936d829e17e769d7a16aa3
                          • Instruction ID: 92b80f883fb152426aa37d46488e35605e350e70e2fb98410aa9fc6678ffd53b
                          • Opcode Fuzzy Hash: 80937fea7e95905c54f146a0f388e4375329104f96936d829e17e769d7a16aa3
                          • Instruction Fuzzy Hash: 95417272985214ABDB20DFA9CE44F6E7AB5FBC1796F12451AE834A6251CF3049028BE0
                          Function 6A3F5770 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 413COMMON
                          Download Yara Rule
                          APIs
                          • memmove.VCRUNTIME140(00000000,?,?,?,?,?,00000000,?,6A3F49DF,0000005C,?,?,?,?,?,?), ref: 6A3F5815
                          • memmove.VCRUNTIME140(00000000,?,?,?,?,?,00000000,?,6A3F49DF,0000005C,?,?,?,?,?,?), ref: 6A3F5849
                            • Part of subcall function 6A3D0130: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,6A3DC52E,?,?,?,?,?,?,00000000,?), ref: 6A3D0135
                            • Part of subcall function 6A4DFD54: EnterCriticalSection.KERNEL32(6A5645C4,00000000,00000000,?,6A401C2C,6A5618A4,5574176C,?,6A4E5871,000000FF,?,6A4095E0,?,?,6A40FD5A,?), ref: 6A4DFD5F
                            • Part of subcall function 6A4DFD54: LeaveCriticalSection.KERNEL32(6A5645C4,?,6A401C2C,6A5618A4,5574176C,?,6A4E5871,000000FF,?,6A4095E0,?,?,6A40FD5A,?,00000004,00000000), ref: 6A4DFD9C
                            • Part of subcall function 6A4DFD0A: EnterCriticalSection.KERNEL32(6A5645C4,?,?,6A3F72BA,6A5616DC,6A4E99F0,6A5616C4,6A4F0D6C), ref: 6A4DFD14
                            • Part of subcall function 6A4DFD0A: LeaveCriticalSection.KERNEL32(6A5645C4,?,6A3F72BA,6A5616DC,6A4E99F0,6A5616C4,6A4F0D6C), ref: 6A4DFD47
                            • Part of subcall function 6A4DFD0A: RtlWakeAllConditionVariable.NTDLL ref: 6A4DFDBE
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000008), ref: 6A3F5B9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterLeavememmove$ConditionVariableWakeXlength_error@std@@_invalid_parameter_noinfo_noreturn
                          • String ID: Authorization: Bearer {}$n/json
                          • API String ID: 505256318-3243731365
                          • Opcode ID: 5ead3e9e1f24d2f377be8056b80cff997c9cdf6be86510aafcfaa688b05a9f2e
                          • Instruction ID: c176a7264db87765aa24abbc0b8b0b701a727b7240de96aead599e33f649d9de
                          • Opcode Fuzzy Hash: 5ead3e9e1f24d2f377be8056b80cff997c9cdf6be86510aafcfaa688b05a9f2e
                          • Instruction Fuzzy Hash: 7FF10275910249DFCB04CFA8C848B9DBBF4FF49314F21851AE819AB391EB31A945CB91
                          Function 6A419B70 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A4189F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,00000000,0000000C,00000000), ref: 6A418A96
                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A419C7D
                          • ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 6A419CE1
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,?,00000000,00000000,5574176C,00000000), ref: 6A419D3E
                          Strings
                          • Could not load experiments file - file: {}, xrefs: 6A419F4D
                          • Could not load experiments file - parse error: {} file: {}, xrefs: 6A419E3C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ___std_fs_convert_narrow_to_wide@20$_invalid_parameter_noinfo_noreturnmalloc
                          • String ID: Could not load experiments file - file: {}$Could not load experiments file - parse error: {} file: {}
                          • API String ID: 2352057096-1752305539
                          • Opcode ID: fac300f0999a84069808586f91a4235e2ffbbd11e3bc5354df623a72e7f1e1e7
                          • Instruction ID: 6fa46553f8373e966b75bb121d7f457973ab5021496c91c4f783b4f184f9b45f
                          • Opcode Fuzzy Hash: fac300f0999a84069808586f91a4235e2ffbbd11e3bc5354df623a72e7f1e1e7
                          • Instruction Fuzzy Hash: DCD14971D04248DEDB14CFA8CC88FEEBBB4EF14304F21849AD425A7292DB716A45CFA1
                          Function 6A4164A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 208COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A3DB610: memmove.VCRUNTIME140(?,00000000,00000010,00000000,?,?,6A40F5DF,?,5574176C,00000000,00000000,?), ref: 6A3DB65A
                            • Part of subcall function 6A4DFBA4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,00000000), ref: 6A416570
                          • _CxxThrowException.VCRUNTIME140(?,6A552214,?,Cannot load configuration file.,00000000,?,00000004,?,>WAj,5574176C,0000000C,00000000), ref: 6A41667C
                          • __std_exception_copy.VCRUNTIME140(00000010,00000001,5574176C,00000028,00000004,?,00000000,6A4E53CD,000000FF,?,?,6A552214,?,Cannot load configuration file.,00000000,?), ref: 6A4166D9
                            • Part of subcall function 6A4DFBA4: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBAC
                            • Part of subcall function 6A4DFBA4: _CxxThrowException.VCRUNTIME140(?,6A5540CC), ref: 6A4E0F6F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionThrowmalloc$__std_exception_copy_callnewhmemmove
                          • String ID: >WAj$Cannot load configuration file.
                          • API String ID: 3673766267-601949582
                          • Opcode ID: 3ad696d525ffe32f624ab5173d0c70528a81946833471ad6865e844c38c7e4f8
                          • Instruction ID: 57658e1891125fc550a0a3427aede25d3af60c8b55bf31fe04b66e2ad24bfd29
                          • Opcode Fuzzy Hash: 3ad696d525ffe32f624ab5173d0c70528a81946833471ad6865e844c38c7e4f8
                          • Instruction Fuzzy Hash: 88816CB1904749EFCB10CF68C844B9AFBF8FF09314F11865AE865A7750EB74AA54CB90
                          Function 6A427F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 197COMMON
                          Download Yara Rule
                          APIs
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000001,00000000,00000040,00000001,5574176C), ref: 6A4280A4
                            • Part of subcall function 6A423FB0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(5574176C,?), ref: 6A424004
                            • Part of subcall function 6A423FB0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(5574176C,?), ref: 6A42402C
                          • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,00000000,00000001,00000000,00000040,00000001,5574176C), ref: 6A4280FE
                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6A42810A
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000), ref: 6A42818A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@_invalid_parameter_noinfo_noreturn$??1?$basic_ios@??1?$basic_istream@
                          • String ID: dEOj
                          • API String ID: 741299523-970402799
                          • Opcode ID: 5ce76abcecb3bd316ba4a1f591092e83d27e0aff5ffc2125a73e78fa6f4ba40f
                          • Instruction ID: 7c8ca72ed879be5cc348ff9d07bcaf489dfa39bb239b479d549d028d965a5e75
                          • Opcode Fuzzy Hash: 5ce76abcecb3bd316ba4a1f591092e83d27e0aff5ffc2125a73e78fa6f4ba40f
                          • Instruction Fuzzy Hash: D4914971D01248DFEB14CFA8CD98BEDBBB5FF49304F218159E419AB291DB74AA84CB50
                          Function 6A414A60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          • ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6A414B89
                          • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(unordered_map/set too long,6A4E7785,6A4E7A5D,811C9DC5,5574176C,0000000C,00000000,?,?,6A4E7785), ref: 6A414C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Xlength_error@std@@ceil
                          • String ID: BaAj$]zNj$unordered_map/set too long
                          • API String ID: 2778784045-1259436695
                          • Opcode ID: 107a5ccbe2d696d0542c183114345d38b9ac455e2f7cba703449c520079195c1
                          • Instruction ID: 0ad78c55aa91199ac59ed4e9141c4802130bb0ad39fe2d8c7f3805e15e58ecfc
                          • Opcode Fuzzy Hash: 107a5ccbe2d696d0542c183114345d38b9ac455e2f7cba703449c520079195c1
                          • Instruction Fuzzy Hash: 0761A6B1905209DFCB14CF68C8C4AADB7B0FF49399F15876AD425BB241DB31AD82CB90
                          Function 6A4102A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 120networkCOMMON
                          Download Yara Rule
                          APIs
                          • HttpOpenRequestA.WININET(00000000,00000000,?,HTTP/1.1,00000000,00000000,00000000,00000000), ref: 6A4103D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: HttpOpenRequest
                          • String ID: request for $HTTP/1.1$initiating $nitro::http::connection_wininet::open_request
                          • API String ID: 1984915467-845188930
                          • Opcode ID: 39d7b6b7d503a260cbdb970926bea5fc13571040123f869907761d631719b0fc
                          • Instruction ID: fff160cf30ab33c418c2e4f49abc99fc258b8c8862ee476aec129e4417cc7357
                          • Opcode Fuzzy Hash: 39d7b6b7d503a260cbdb970926bea5fc13571040123f869907761d631719b0fc
                          • Instruction Fuzzy Hash: 654193B1A00258ABDF10DFA4DC88F9DB7B4AF44318F1105ADE929A7281DF34AE40CB95
                          Function 6A40C910 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • _fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,5574176C,?,?,?,?,?,?,?,?,?,6A4E68C5,000000FF,?,6A3FC64A,00000000), ref: 6A40C941
                          • _filelength.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,6A4E68C5,000000FF,?,6A3FC64A,00000000,00000000), ref: 6A40C948
                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6A4E68C5), ref: 6A40C99C
                          Strings
                          • Failed getting file size from fd, xrefs: 6A40C9A2
                          • Cannot use size() on closed file , xrefs: 6A40C989
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _errno_filelength_fileno
                          • String ID: Cannot use size() on closed file $Failed getting file size from fd
                          • API String ID: 4061260447-3173200547
                          • Opcode ID: 505868d7759036e8ea32871c413bb5e1137bd95bcb3c975972160fd818dbbf81
                          • Instruction ID: edae2df2af46f94e9de3e68079a4813e2c6ae3a374bf56ae90cab6233cf15a13
                          • Opcode Fuzzy Hash: 505868d7759036e8ea32871c413bb5e1137bd95bcb3c975972160fd818dbbf81
                          • Instruction Fuzzy Hash: 851154B1900248EBCF00DBA4DC49F9EB7BCFF05219F054569E925E7241DF35A905CBA1
                          Function 6A403EE0 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                          Download Yara Rule
                          APIs
                          • _wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?,5574176C,?,?), ref: 6A403F2C
                          • memset.VCRUNTIME140(?,00000000,00000100), ref: 6A403FBD
                            • Part of subcall function 6A3CEEE0: memmove.VCRUNTIME140(?,?,?,00000000,?,00000000,?,?,00000001,?,?,?,6A3E2666,00000000,00000001), ref: 6A3CEF12
                          • _wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(6A4E5AED,?,?,?), ref: 6A4041E1
                          • _wmkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(6A4E5AED), ref: 6A4041FE
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6A4042AC
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _wstat64i32$_invalid_parameter_noinfo_noreturn_wmkdirmemmovememset
                          • String ID:
                          • API String ID: 3014784530-0
                          • Opcode ID: 7d03611d6f94806f42d66a0569b13e6dfccc8b4ff43a52755441baf0d8d83387
                          • Instruction ID: f0156602d1615495e1578dc0d50fc17b8cd873e3016c6247c64a4bc7d200bae7
                          • Opcode Fuzzy Hash: 7d03611d6f94806f42d66a0569b13e6dfccc8b4ff43a52755441baf0d8d83387
                          • Instruction Fuzzy Hash: 6CB1A271A04219CFCB14CF68CC44AEDB7B1BF99394F55426DD829B7381DB30AA85CB90
                          Function 6A4E03D9 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: dllmain_raw$dllmain_crt_dispatch
                          • String ID:
                          • API String ID: 3136044242-0
                          • Opcode ID: 349e5948d76ca30e66a5e621419c360ba63cd9be75bd36ab76e286f95028e25c
                          • Instruction ID: fbd32270ad315482ca74c3847414cc6d64b4d7761f56d7f350c471aed97d6f81
                          • Opcode Fuzzy Hash: 349e5948d76ca30e66a5e621419c360ba63cd9be75bd36ab76e286f95028e25c
                          • Instruction Fuzzy Hash: EF217171D81218ABDB219E55CE44E6E3AB9FBC1796F224559F8346B211CF308D528BE0
                          Function 6A40AC60 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 330COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A3CEEE0: memmove.VCRUNTIME140(?,?,?,00000000,?,00000000,?,?,00000001,?,?,?,6A3E2666,00000000,00000001), ref: 6A3CEF12
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6A4F0DC4,000000FF), ref: 6A40B027
                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(5574176C), ref: 6A40B06C
                            • Part of subcall function 6A40CCA0: _CxxThrowException.VCRUNTIME140(?,6A550EEC,6A550E94,?), ref: 6A40CCBE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionThrow_errno_invalid_parameter_noinfo_noreturnmemmove
                          • String ID: for writing$Failed opening file
                          • API String ID: 392238748-807226085
                          • Opcode ID: b20c0a65066e379e2507661abd44cc9cb66ad1ba60957f796a74df288cf01b96
                          • Instruction ID: 7575ac10af469cb94e96112dde8306466606f55c2e91052cd49b2c573fe49929
                          • Opcode Fuzzy Hash: b20c0a65066e379e2507661abd44cc9cb66ad1ba60957f796a74df288cf01b96
                          • Instruction Fuzzy Hash: 81E15B70D00209DFDB10CFA8CD48B9DBBB5FF49314F218669E469A7291DB30AA85DF90
                          Function 6A3FC450 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A3FBA30: memmove.VCRUNTIME140 ref: 6A3FBA95
                          • _Mtx_init_in_situ.MSVCP140(?,00000002), ref: 6A3FC4C5
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000), ref: 6A3FC69F
                          Strings
                          • rotating sink constructor: max_size arg cannot be zero, xrefs: 6A3FC6D3
                          • rotating sink constructor: max_files arg cannot exceed 200000, xrefs: 6A3FC6E7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Mtx_init_in_situ_invalid_parameter_noinfo_noreturnmemmove
                          • String ID: rotating sink constructor: max_files arg cannot exceed 200000$rotating sink constructor: max_size arg cannot be zero
                          • API String ID: 3995984182-3744533619
                          • Opcode ID: 2b5f107607fc7f778cc51e49604ba6ea903d683366a1701976c2c9b0e85d62a0
                          • Instruction ID: 62ec01de983e7b8ebed44cf5911aca7ed3a213632ddf6c263eb44d206666de60
                          • Opcode Fuzzy Hash: 2b5f107607fc7f778cc51e49604ba6ea903d683366a1701976c2c9b0e85d62a0
                          • Instruction Fuzzy Hash: CF91BCB0910248DFDB00CF69C944B9EBBF0BF49308F11865EE8599B791DB75AA44CFA1
                          Function 6CBF3271 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 6CBF328B
                          • SysAllocString.OLEAUT32(00000000), ref: 6CBF329B
                          • VariantClear.OLEAUT32(?), ref: 6CBF337A
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 6CBF32B3
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Variant$AllocClearInitString
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\xmlutil.cpp
                          • API String ID: 2213243845-465705221
                          • Opcode ID: b38e32dd4c7b873e1ab48484777373158312b4836a4a98f97ff7840aa2308086
                          • Instruction ID: d47ecfde113463c8a37a40bc07b2773ab2d36113f49c45572bcff46d762e832a
                          • Opcode Fuzzy Hash: b38e32dd4c7b873e1ab48484777373158312b4836a4a98f97ff7840aa2308086
                          • Instruction Fuzzy Hash: FC41D471E04265ABCB10DFA5C888E9F7BB8EF06710F0581A5EC21EB301DB70CC058BA2
                          Function 6A410690 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetCloseHandle.WININET(?), ref: 6A4106C3
                          • GetLastError.KERNEL32(InternetCloseHandle failed with error code ,6A4F0B04,nitro::http::wininet_handle::~wininet_handle), ref: 6A410718
                          Strings
                          • nitro::http::wininet_handle::~wininet_handle, xrefs: 6A4106EE
                          • InternetCloseHandle failed with error code , xrefs: 6A41070A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: CloseErrorHandleInternetLast
                          • String ID: InternetCloseHandle failed with error code $nitro::http::wininet_handle::~wininet_handle
                          • API String ID: 3690491403-2312826981
                          • Opcode ID: 62b061abe32e2bab57e664ee7aaa92c65378cc19fcd4714a1833d8450882e586
                          • Instruction ID: 04872dd7c639c34c275890d55654eca157e39930a420804a8926fac043f426de
                          • Opcode Fuzzy Hash: 62b061abe32e2bab57e664ee7aaa92c65378cc19fcd4714a1833d8450882e586
                          • Instruction Fuzzy Hash: 41118C71900154ABCF14EFA4DC98FAE73F8AF48248F110579E92AD7281EF34AA04CA80
                          Function 6A420640 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • memset.VCRUNTIME140(?,00000000,00000200), ref: 6A420676
                          • GetUserNameW.ADVAPI32(?,00000100), ref: 6A42068C
                          • memmove.VCRUNTIME140(?,?), ref: 6A4206D8
                          • memmove.VCRUNTIME140(00000000,?,00000100,00000101), ref: 6A420740
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: memmove$NameUsermemset
                          • String ID:
                          • API String ID: 774422762-0
                          • Opcode ID: a4d28bf83a8379c7c648cca4fc312087896bc51708cbeebaf0c1b3412e3b7172
                          • Instruction ID: 27f1946384978eea298311f89dcebbe6b01931ffb19f73355b75c04fccf79ef6
                          • Opcode Fuzzy Hash: a4d28bf83a8379c7c648cca4fc312087896bc51708cbeebaf0c1b3412e3b7172
                          • Instruction Fuzzy Hash: 3C3187B1D003189BDB20DF64DC98B9AB3E8EF45304F1142AAD926D7252DB309E448B91
                          Function 6A4E0222 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • __RTC_Initialize.LIBCMT ref: 6A4E026F
                            • Part of subcall function 6A4E0AED: InitializeSListHead.KERNEL32(6A564610,6A4E0279,6A554068,00000010,6A4E020A,?,?,?,6A4E0432,?,00000001,?,?,00000001,?,6A5540B0), ref: 6A4E0AF2
                          • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(6A4EC338,6A4EC340,6A554068,00000010,6A4E020A,?,?,?,6A4E0432,?,00000001,?,?,00000001,?,6A5540B0), ref: 6A4E0288
                          • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(6A4EA71C,6A4EC32C,6A554068,00000010,6A4E020A,?,?,?,6A4E0432,?,00000001,?,?,00000001,?,6A5540B0), ref: 6A4E02A6
                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6A4E02D9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                          • String ID:
                          • API String ID: 590286634-0
                          • Opcode ID: 6606d1c23ef54de4b746d6e974cd123cd6200ef70d96d90c3f416917c0bd75c3
                          • Instruction ID: 71d1c93df111487d90e05796bec027b28ac867e7ab1cea8224a3001368af94de
                          • Opcode Fuzzy Hash: 6606d1c23ef54de4b746d6e974cd123cd6200ef70d96d90c3f416917c0bd75c3
                          • Instruction Fuzzy Hash: 5A21AE312852059ADB60ABBC9D18FAD37B1BFA236BF12001ED5B0676C3DF715900C6E6
                          Function 6A3E3940 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A4DFBA4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                          • memset.VCRUNTIME140(00000000,00000000,000000C0,?,?,?,?,?,?,00000000,6A4E32B9,000000FF,?,6A3D1809,?), ref: 6A3E3997
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000005,?), ref: 6A3E3ABA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo_noreturnmallocmemset
                          • String ID: UNKNOWN
                          • API String ID: 3803164509-2455984605
                          • Opcode ID: 6ee8a0d4e09c2748622e0e366d036c0466e2d55927dbe72d30b3c9d10cc1bbce
                          • Instruction ID: 3fece918de07b21b5304796e493c2ca44415949ea7723e06945b44e4eda85f64
                          • Opcode Fuzzy Hash: 6ee8a0d4e09c2748622e0e366d036c0466e2d55927dbe72d30b3c9d10cc1bbce
                          • Instruction Fuzzy Hash: EF71EE70900744CFE710CF68C958B9ABBF0FF05318F15865EE4969B3A2CBB5A984CB91
                          Function 6A41EFE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                          Download Yara Rule
                          APIs
                          • LookupAccountSidW.ADVAPI32(00000000,?,?,00000101,?,?,?), ref: 6A41F05B
                          • GetLastError.KERNEL32(device: LookupAccountSid failed: ,5574176C), ref: 6A41F09F
                          Strings
                          • device: LookupAccountSid failed: , xrefs: 6A41F08D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: AccountErrorLastLookup
                          • String ID: device: LookupAccountSid failed:
                          • API String ID: 3062591017-1750481975
                          • Opcode ID: 0d0cb4d2a794e88d5ecedc4a16d19010ffd8a390299184f1673611137aff9dfd
                          • Instruction ID: 88c60894dd8b5a50fb43a855f1507c5a4caef52f6eaae28da1fa4c89f72fd848
                          • Opcode Fuzzy Hash: 0d0cb4d2a794e88d5ecedc4a16d19010ffd8a390299184f1673611137aff9dfd
                          • Instruction Fuzzy Hash: 30516EB1C106599ADB10CF24CC94BEAB7B9BF95308F10439AE91963241EB766BD4CF90
                          Function 6A3E4710 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A40D890: RegOpenKeyExW.KERNEL32(6A3E5735,5574176C,00000000,00000101,?,?,?,6A41FD9B,80000002,SOFTWARE\Microsoft\Cryptography,00000101,5574176C,6A3E5735,?), ref: 6A40D8A2
                            • Part of subcall function 6A40D520: RegQueryValueExW.KERNEL32(?,80000001,00000000,00000001,00000000,?,5574176C,00000000), ref: 6A40D56B
                            • Part of subcall function 6A40D520: memset.VCRUNTIME140(00000000,00000000,?), ref: 6A40D5AC
                            • Part of subcall function 6A40D520: RegQueryValueExW.KERNEL32(?,80000001,00000000,00000000,00000000,00000000), ref: 6A40D5D2
                            • Part of subcall function 6A40D450: RegCloseKey.ADVAPI32(?,?,6A3E44FF,nls_acc,?,nls_user,?,80000001,00000001,5574176C), ref: 6A40D455
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(AnalyticsDisabled,?,80000002,6A4F1D10,00000001,5574176C,?,?), ref: 6A3E4817
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen_invalid_parameter_noinfo_noreturnmemset
                          • String ID: AnalyticsDisabled$dNj
                          • API String ID: 3983723937-2660509402
                          • Opcode ID: be2029386b0024e07ea14085cfcf99925ed32892408e1f4cc631e2baf29de4cc
                          • Instruction ID: 56a923e2393d3eafad3bc3acc95280440f6135a2295cefea7c5130f1ea8fa7b5
                          • Opcode Fuzzy Hash: be2029386b0024e07ea14085cfcf99925ed32892408e1f4cc631e2baf29de4cc
                          • Instruction Fuzzy Hash: 6D41D531E14198DBCB04CBA4CC94BEDBBB5FF4A314F15011AD82173681DF366A84CBA1
                          Function 6A404EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,5574176C,?,?), ref: 6A404EDF
                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 6A404F07
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _errnofflush
                          • String ID: Failed flush to file
                          • API String ID: 748766958-3191539217
                          • Opcode ID: 1812ce4bf85ec0e3b7b3b7d4280f4e4d36f93df7c4b3f3d7e1ac342fda0e633f
                          • Instruction ID: 920666c5365c67f877bd007407c329fd0f87f7e510e77cd65b4d96a014c9cfcf
                          • Opcode Fuzzy Hash: 1812ce4bf85ec0e3b7b3b7d4280f4e4d36f93df7c4b3f3d7e1ac342fda0e633f
                          • Instruction Fuzzy Hash: 00015EB1804148EFCB00DBA5CC08F9BB7BCFB45218F01457AE926D3642EB34A904C6A0
                          Function 6A40D520 Relevance: 4.6, APIs: 3, Instructions: 104registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNEL32(?,80000001,00000000,00000001,00000000,?,5574176C,00000000), ref: 6A40D56B
                          • memset.VCRUNTIME140(00000000,00000000,?), ref: 6A40D5AC
                          • RegQueryValueExW.KERNEL32(?,80000001,00000000,00000000,00000000,00000000), ref: 6A40D5D2
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue$memset
                          • String ID:
                          • API String ID: 1125319197-0
                          • Opcode ID: e51600bf903f2518fc01386e4c4ce4d312c555b5199b5fef0b3a2954c569705c
                          • Instruction ID: 16a7929b5977872aff1ba0787530413d4951f2939c5450d12a297f521f41e39e
                          • Opcode Fuzzy Hash: e51600bf903f2518fc01386e4c4ce4d312c555b5199b5fef0b3a2954c569705c
                          • Instruction Fuzzy Hash: C231B076A40218ABDB149F54CC01FAFBBB8FF49744F114529FD25E7280DB719A05CAA0
                          Function 6A3E43E0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • memset.VCRUNTIME140(?,00000000,00000030,5574176C), ref: 6A3E441C
                            • Part of subcall function 6A40D890: RegOpenKeyExW.KERNEL32(6A3E5735,5574176C,00000000,00000101,?,?,?,6A41FD9B,80000002,SOFTWARE\Microsoft\Cryptography,00000101,5574176C,6A3E5735,?), ref: 6A40D8A2
                            • Part of subcall function 6A40D520: RegQueryValueExW.KERNEL32(?,80000001,00000000,00000001,00000000,?,5574176C,00000000), ref: 6A40D56B
                            • Part of subcall function 6A40D520: memset.VCRUNTIME140(00000000,00000000,?), ref: 6A40D5AC
                            • Part of subcall function 6A40D520: RegQueryValueExW.KERNEL32(?,80000001,00000000,00000000,00000000,00000000), ref: 6A40D5D2
                            • Part of subcall function 6A40D450: RegCloseKey.ADVAPI32(?,?,6A3E44FF,nls_acc,?,nls_user,?,80000001,00000001,5574176C), ref: 6A40D455
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValuememset$CloseOpen
                          • String ID: nls_acc$nls_user
                          • API String ID: 3068387114-3340676638
                          • Opcode ID: 5072805cb5a180d5d118911dbf2f8111cdab21cc50783cfda8de253a0460b62e
                          • Instruction ID: 4dc8cb94fafe1765a01b24c5e152963ede5de0038fbbc630bef2892234490ecd
                          • Opcode Fuzzy Hash: 5072805cb5a180d5d118911dbf2f8111cdab21cc50783cfda8de253a0460b62e
                          • Instruction Fuzzy Hash: 6A414C71C10349DBDB10CFA4C948BDEBBF4FF15308F10461AD425A7681EBB56688CBA1
                          Function 6CBF1DCC Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6CBF1E0B
                          • GetLastError.KERNEL32 ref: 6CBF1E15
                          • LoadLibraryW.KERNEL32(?,?,00000104,?), ref: 6CBF1E7E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: DirectoryErrorLastLibraryLoadSystem
                          • String ID:
                          • API String ID: 1230559179-0
                          • Opcode ID: 5de5686d6625f2807058782101ef6186697774ee2809550fa9131303d11c6c9c
                          • Instruction ID: dc04ce44288321e84abcbac57ea164a726de54fc6b17f00738d70e06a8a36d7f
                          • Opcode Fuzzy Hash: 5de5686d6625f2807058782101ef6186697774ee2809550fa9131303d11c6c9c
                          • Instruction Fuzzy Hash: 8A21C5F6E02369A7DB108B658C44F8FB77CAF00714F154965AD24F7740E770DD4A8AA0
                          Function 6A404D60 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • _Mtx_lock.MSVCP140(?,5574176C,?,?,?,?,6A4E5C0D,000000FF), ref: 6A404D8E
                          • _Mtx_unlock.MSVCP140(?), ref: 6A404DAC
                          • ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 6A404DC6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: C_error@std@@Mtx_lockMtx_unlockThrow_
                          • String ID:
                          • API String ID: 2683325095-0
                          • Opcode ID: f9e16a4785c0d51eab279250c225d7bb60e1823cf7c5c964d6cd7c4cc24bb2ab
                          • Instruction ID: e8fc46833029d5a33c0c44b8b9755166034bf84eb586ac736c2306d02ba3c6f9
                          • Opcode Fuzzy Hash: f9e16a4785c0d51eab279250c225d7bb60e1823cf7c5c964d6cd7c4cc24bb2ab
                          • Instruction Fuzzy Hash: 4AF08CB2904558ABD704CF99DC04F9AB7ECFB19615F11422BE825C3740EFB5AA048BA1
                          Function 6A3D0580 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • #324.MFC140U(00000000,5574176C), ref: 6A3D05BD
                          • ??0handler@metrics@nitro@@QAE@XZ.METRICS(00000000,5574176C), ref: 6A3D05CB
                          • ?Init@handler@metrics@nitro@@UAEXV?$unique_ptr@Vlicense_info@metrics@nitro@@U?$default_delete@Vlicense_info@metrics@nitro@@@std@@@std@@PBD_N2@Z.METRICS(?,00000000,00000000,5574176C,00000000,5574176C), ref: 6A3D05F0
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: #324??0handler@metrics@nitro@@Init@handler@metrics@nitro@@U?$default_delete@V?$unique_ptr@Vlicense_info@metrics@nitro@@Vlicense_info@metrics@nitro@@@std@@@std@@
                          • String ID:
                          • API String ID: 991889295-0
                          • Opcode ID: 80fc264b524d1c986080b381e1891c7242cac51e538664d86ff7dd914e642f01
                          • Instruction ID: aeb786a5f51c31a6d2735e06bd4e1fc55c7a16f4f01947b689aead2631ed5376
                          • Opcode Fuzzy Hash: 80fc264b524d1c986080b381e1891c7242cac51e538664d86ff7dd914e642f01
                          • Instruction Fuzzy Hash: 89014470500258EBCF01DF68CC05B9E7BF8FF09718F114619F815A7381DB756A048BA1
                          Function 6A4DFBA4 Relevance: 4.5, APIs: 3, Instructions: 28COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _CxxThrowException.VCRUNTIME140(?,6A54C238), ref: 6A3CEC57
                          • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBAC
                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                          • _CxxThrowException.VCRUNTIME140(?,6A5540CC), ref: 6A4E0F6F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ExceptionThrow$_callnewhmalloc
                          • String ID:
                          • API String ID: 4113974480-0
                          • Opcode ID: cd71c120c7bdfcf762e97c5b71f800f63fe8c83a9ad5e0d9e25c41341846267f
                          • Instruction ID: df377e4232158a17fd369c2b5f8bccc4210086f72c3085af6c46d9cb2482c492
                          • Opcode Fuzzy Hash: cd71c120c7bdfcf762e97c5b71f800f63fe8c83a9ad5e0d9e25c41341846267f
                          • Instruction Fuzzy Hash: 10E0D83148420EB6CF10BB7CEC28D5D37AC6F11366B114665E934A50F2FF70EA6A81D1
                          Function 6A41CBE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151COMMON
                          Download Yara Rule
                          APIs
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6A41CDAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo_noreturn
                          • String ID: /b
                          • API String ID: 3668304517-2700472610
                          • Opcode ID: 1b157c3110440e01ef25812f639631b4ca417723f804ca627424fc2ab6948a3f
                          • Instruction ID: e089141496d0b3decc86148af324a7562fcde4cc28756d9b5b88613616771ef6
                          • Opcode Fuzzy Hash: 1b157c3110440e01ef25812f639631b4ca417723f804ca627424fc2ab6948a3f
                          • Instruction Fuzzy Hash: CD51E371904248CFDF14CF68CC98BEDBBB5AF45314F24861ED421A7391DB34AA95CB61
                          Function 6CBF22BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNEL32(00000004,00000000,00000000,?,80000002,00020019,00000000,00000000,?,?,?,6CBF115B,?,Install,?,80000002), ref: 6CBF22E2
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 6CBF2332
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 3660427363-1760534440
                          • Opcode ID: 43e2ed5825283860a500798279b71bc28e3e5d0d750b8753415adf6deecb6ba2
                          • Instruction ID: 83d52421d878ce3ba0c8bf6e9c78346b50a2e3906f49f12e5f75090c3eed91c8
                          • Opcode Fuzzy Hash: 43e2ed5825283860a500798279b71bc28e3e5d0d750b8753415adf6deecb6ba2
                          • Instruction Fuzzy Hash: A601FCB1A411E5FFDB144A468C0CA9F7EA8EB41374F144126BC15EB744E2B0CD16C7E2
                          Function 6CBF225A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(00020019,00000000,00000000,80000002,6CBF1146,00000000,00000000,?,6CBF1146,80000002,00000000,00020019,?,?,?,?), ref: 6CBF226E
                          Strings
                          • c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp, xrefs: 6CBF22AB
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956392338.000000006CBF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CBF0000, based on PE: true
                          • Associated: 00000001.00000002.2956368107.000000006CBF0000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956449438.000000006CC10000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6cbf0000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open
                          • String ID: c:\agent\_work\35\s\wix\src\libs\dutil\regutil.cpp
                          • API String ID: 71445658-1760534440
                          • Opcode ID: 5e8fc0dfb4ed32a11c18f3876e092a018963e7ecb1b3c639cc2975b315d18418
                          • Instruction ID: cdd04bf30721a6dc8a33935fa4249a4eb65a06a23339845da56d24b01d18c995
                          • Opcode Fuzzy Hash: 5e8fc0dfb4ed32a11c18f3876e092a018963e7ecb1b3c639cc2975b315d18418
                          • Instruction Fuzzy Hash: 7AF050327011EA63AB2009964C08B977F55EB453B0F1581267C58DF710D631CC2697E2
                          Function 6A404F50 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A3CEE40: memmove.VCRUNTIME140(?,?,00000000,00000001,?,?,?,6A3E2666,00000000,00000001), ref: 6A3CEE6A
                          • _Xtime_get_ticks.MSVCP140(?,?,?,5574176C,?,?), ref: 6A405032
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 6A4050C6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Xtime_get_ticks_invalid_parameter_noinfo_noreturnmemmove
                          • String ID:
                          • API String ID: 2600422416-0
                          • Opcode ID: c8e994b680234c9fe4aa71becf7796e4040b3b56404d1e114caecd3f5cd412d8
                          • Instruction ID: e4f0ff91ca6b63b3e17115255a1ff79da4190dfc9b40845c7582d4e8437d2964
                          • Opcode Fuzzy Hash: c8e994b680234c9fe4aa71becf7796e4040b3b56404d1e114caecd3f5cd412d8
                          • Instruction Fuzzy Hash: 50516970D05248AFDB14CFA8C858B9EFBF1FF09314F248259E469A7381DB756A44CB92
                          Function 6A3CF500 Relevance: 2.6, APIs: 2, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • memmove.VCRUNTIME140(00000010,6A3CEFFA,00000010,?,?,?,6A3CEFFA,?,00000000,00000000,00000001), ref: 6A3CF54A
                          • memmove.VCRUNTIME140(00000000,6A3CEFFA,0C458B09,0C458B09,00000000,?,?,?,6A3CEFFA,?,00000000,00000000,00000001), ref: 6A3CF592
                            • Part of subcall function 6A3D0130: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,6A3DC52E,?,?,?,?,?,?,00000000,?), ref: 6A3D0135
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: memmove$Xlength_error@std@@
                          • String ID:
                          • API String ID: 1743304318-0
                          • Opcode ID: b238c68874d6ce7acba630331fb90ce3e3701fb27dd7df1133c05b7addd8418c
                          • Instruction ID: 30311a33ec65ed90bef0fef59369a3958308195d98a2b1705991d3ede6449535
                          • Opcode Fuzzy Hash: b238c68874d6ce7acba630331fb90ce3e3701fb27dd7df1133c05b7addd8418c
                          • Instruction Fuzzy Hash: D0110872A043049FD3209F28D884A56B7E9FF54364F11072FF15687291EB71E94487E2
                          Function 6A3E66D0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(5574176C,?,Function_00162100,000000FF,?,6A3E5973,?,00000001,5574176C,?,Function_00162060,000000FF), ref: 6A3E673A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: _invalid_parameter_noinfo_noreturn
                          • String ID:
                          • API String ID: 3668304517-0
                          • Opcode ID: 81e82810600d9117deb04bfea2a04a3a284e77f9c022556b12ec07d4f6b443c0
                          • Instruction ID: 1f22948cb95976c98dbe824b119a711946844a7e35446f4d9f376d1daffed191
                          • Opcode Fuzzy Hash: 81e82810600d9117deb04bfea2a04a3a284e77f9c022556b12ec07d4f6b443c0
                          • Instruction Fuzzy Hash: A3F0C272A00048AFDB18CF58CC54F59B7A9FB05325F10836EF626C7B80DB38AA408B50
                          Function 6A3F6190 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6A4DFBA4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6A3CE626,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6A4DFBB9
                          • ??0_Concurrent_queue_base_v4@details@Concurrency@@IAE@I@Z.CONCRT140(00000008), ref: 6A3F61E5
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: ??0_Concurrency@@Concurrent_queue_base_v4@details@malloc
                          • String ID:
                          • API String ID: 912415408-0
                          • Opcode ID: bb62ea851d912cd817c952b97da748a3d41a2f11d0e5544628f054606326e595
                          • Instruction ID: cc0b6a004a0d19c6ed804f6ba2074471c66cc002427672ef622a7d733e5c370c
                          • Opcode Fuzzy Hash: bb62ea851d912cd817c952b97da748a3d41a2f11d0e5544628f054606326e595
                          • Instruction Fuzzy Hash: D901A171A08685DBD710CF49D801B99FBF8FF85620F10062FE82583780EBB55900C790
                          Function 6A40D470 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.KERNEL32(?,811C9DC5,00000000,00000000,00000000,6A41A619,00000000,00000009,00000000,?,?,6A41A619,811C9DC5,?,00020019,?), ref: 6A40D48A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 89831ce0a03e98f2961d0398ddeb84787e713e266d77e2fb187100611ab71022
                          • Instruction ID: 9c7e439aff30975bfe63d4f9958d5e00f2021b9fc6240b3e9e6dfcec2f2dfbf4
                          • Opcode Fuzzy Hash: 89831ce0a03e98f2961d0398ddeb84787e713e266d77e2fb187100611ab71022
                          • Instruction Fuzzy Hash: F3E01D3228031477EB205F81DC46FD77F58DB517A1F144426F7145D1D0D6B26465E794
                          Function 6A40D890 Relevance: 1.5, APIs: 1, Instructions: 21registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(6A3E5735,5574176C,00000000,00000101,?,?,?,6A41FD9B,80000002,SOFTWARE\Microsoft\Cryptography,00000101,5574176C,6A3E5735,?), ref: 6A40D8A2
                          Memory Dump Source
                          • Source File: 00000001.00000002.2956046962.000000006A381000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6A380000, based on PE: true
                          • Associated: 00000001.00000002.2956019742.000000006A380000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956226101.000000006A558000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956253117.000000006A55A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956278956.000000006A55D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956304864.000000006A564000.00000004.00000001.01000000.0000000D.sdmpDownload File
                          • Associated: 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_6a380000_nitro_pro14.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: a0ab4ba2b8f1eca55745314a5f53ff1cdac8572607d6e95d8027258647adc308
                          • Instruction ID: d259607656d0821e525a7a802d769533b3fcb893b1721e0e516da0bb4d95e263
                          • Opcode Fuzzy Hash: a0ab4ba2b8f1eca55745314a5f53ff1cdac8572607d6e95d8027258647adc308
                          • Instruction Fuzzy Hash: EDD01233144218BBDB101F85DC05FD77BA8EF513A1F00802AF61486110D6B25461ABD0
                          Function 031A22C4 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID: tPsq
                          • API String ID: 0-2327162360
                          • Opcode ID: 780ee69d83ce375b7b3ae1a7de933fbec56eceaad3d7414fdc11066b86fa369d
                          • Instruction ID: 9b6235bf185fc5912817794b756b89ac799ceb5370ed38d4cdc6500a546a1238
                          • Opcode Fuzzy Hash: 780ee69d83ce375b7b3ae1a7de933fbec56eceaad3d7414fdc11066b86fa369d
                          • Instruction Fuzzy Hash: D6A19C78E01318CFCB69DFB4D998A9DBBB2BF49301F1089A9D509AB350DB319981CF50
                          Function 031A7050 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3dc973bed0652d3cea18825fd836af69fd273bd2bc8c8eb6bea5f23101d1053
                          • Instruction ID: 382e6c9ce05c3fb3720eb30e77e5dd1a7aa7b908ad067a881e16242484d5cd97
                          • Opcode Fuzzy Hash: a3dc973bed0652d3cea18825fd836af69fd273bd2bc8c8eb6bea5f23101d1053
                          • Instruction Fuzzy Hash: 90513834A11608DFCB05EFA8E4889ECBBB1FF4A302F5044A9E445A7390CB369D65CF50
                          Function 031AF018 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 249d58b287e7999b8321716424c59cdea843dbf0287b8c88e8be553555c47f58
                          • Instruction ID: fc00f4dbb5ee3e0930576acc7a62303fae92a25ad39eacba9fc444c7fcd15619
                          • Opcode Fuzzy Hash: 249d58b287e7999b8321716424c59cdea843dbf0287b8c88e8be553555c47f58
                          • Instruction Fuzzy Hash: 1751E078E012189FCB15DFA8D984AEDBBB2FF49301F10456AE801B7390DB74A946CF90
                          Function 031A8380 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3706b8ffb88bcbd77cdf5760b7696158bcadea76b86ce2597c03d3a53f3b3545
                          • Instruction ID: 6fb471c92a4a6a51bd617a6a37323cdf0fd9e2c672b7c9bccb8fbb0a38dc2405
                          • Opcode Fuzzy Hash: 3706b8ffb88bcbd77cdf5760b7696158bcadea76b86ce2597c03d3a53f3b3545
                          • Instruction Fuzzy Hash: 2B31CE78E01618CFCB19DFB8D490AEDBBB2BF49302F10986AD415BB250DB719946CF50
                          Function 031A6390 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57526a3232ce3bd1e725cd95f2893f7c69f7f0e42b5c4a648f8d3410ef472576
                          • Instruction ID: a82ba66ae907c0ddefb222646cd4e124fba6ab27f2cf97d158df81914d1cfa3c
                          • Opcode Fuzzy Hash: 57526a3232ce3bd1e725cd95f2893f7c69f7f0e42b5c4a648f8d3410ef472576
                          • Instruction Fuzzy Hash: 0F31F2B5D01258DFCB14CFA9D884ADEFBB5AF48310F28802AE819B7240CB75A945CB90
                          Function 031AD1A9 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d4917e7309b4cae26b9f46453cb46864ab3b26de3b24ee2094c8cdd957d291e
                          • Instruction ID: f5394b05f8fa7f19dcc5a2623d4f4e1862ace7bbe3ad3561edd896c570f667e2
                          • Opcode Fuzzy Hash: 7d4917e7309b4cae26b9f46453cb46864ab3b26de3b24ee2094c8cdd957d291e
                          • Instruction Fuzzy Hash: 8A312778E05709DFCB04DFA8C541AAEFBB1EF49301F1085AAD904A7391DB35AA81CF91
                          Function 031A6384 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 993ac8c740ddb784507c5885446826ee325b955bbba6c1add5cd5062bcb4a55f
                          • Instruction ID: 326dc81544f59a36d5394b79d32a1f15f38d9b2456a9072f025b31c0dd98ffce
                          • Opcode Fuzzy Hash: 993ac8c740ddb784507c5885446826ee325b955bbba6c1add5cd5062bcb4a55f
                          • Instruction Fuzzy Hash: DE31F6B5D00259DFCB14CFA9C985BDEBBF9AF08310F24806AE419AB241DB756945CBA0
                          Function 031AD1B8 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: da5f49eeb7702db4c02308112639dbeb8da1399b13444049c999163b41e5e152
                          • Instruction ID: c39741383476fd364002406990e335e96fedb2508d2933a31a419127681fc661
                          • Opcode Fuzzy Hash: da5f49eeb7702db4c02308112639dbeb8da1399b13444049c999163b41e5e152
                          • Instruction Fuzzy Hash: 4021E978E01609DFCB44DFA8C541AAEBBF1EF49301F1085AAD505A7390DB75AA81CF91
                          Function 031A6028 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c890780ea2bb903fe77667eec34dd6328b327e001e122308adae77924cef090
                          • Instruction ID: 8f55ce239f55c18eb3975954c8f61094b9c16a5b2eda97f60381088293ad5938
                          • Opcode Fuzzy Hash: 1c890780ea2bb903fe77667eec34dd6328b327e001e122308adae77924cef090
                          • Instruction Fuzzy Hash: 0121DC359182098FCB01CF68C995AAEBBB0EF4E300F190599C448DB266DB349E4ADB91
                          Function 031AE330 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6d0105ef424daaac6443b56abb06bf972e2aea0f551c720e0c6fcf5c3fb7aa2
                          • Instruction ID: cb182e98454e3101cde09ea6672a06484bf75b73dc25d826dc28a9692a4110fc
                          • Opcode Fuzzy Hash: d6d0105ef424daaac6443b56abb06bf972e2aea0f551c720e0c6fcf5c3fb7aa2
                          • Instruction Fuzzy Hash: F8215378D00208CFCF05CFA8C490AEEBBB1AF49315F14886AC840BB290DB351E45CFA0
                          Function 031AE280 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2dc2d993cbb5c6df9b2d69034d7417aa1f08803b2e0af8b8b8aeb7fde80ac3b4
                          • Instruction ID: 7f10a869acf02fe18a9cb530e1611ca17c16437cbe9e6fe91e7c103660fa4f46
                          • Opcode Fuzzy Hash: 2dc2d993cbb5c6df9b2d69034d7417aa1f08803b2e0af8b8b8aeb7fde80ac3b4
                          • Instruction Fuzzy Hash: AF214778D002598FCF09DFA8D5906EEBBB1AF49315F10846AC841BB390DB755945CFA0
                          Function 031AE1D1 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4431439cc94dfb0f0d002f166e2ddb13eae108b870b33473fee073d1cfee7369
                          • Instruction ID: 2acea57f1a25c960ebc57649f5eed62420e3410465c9b7aafdee09452767b5af
                          • Opcode Fuzzy Hash: 4431439cc94dfb0f0d002f166e2ddb13eae108b870b33473fee073d1cfee7369
                          • Instruction Fuzzy Hash: 67213378D002098FCF19DFA8C591AEEBBB1AF49311F10846AC851B7290DB395E45CFA1
                          Function 031AE3EE Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05d99fe1691e17a63f9f43cfad68ecb2b26879ee5cbc4755dd9249c7c13fc76f
                          • Instruction ID: 7438b0f9035f9c63d67dc59e66a8ebd1af7641b0557f162d82c345be2d6fca9e
                          • Opcode Fuzzy Hash: 05d99fe1691e17a63f9f43cfad68ecb2b26879ee5cbc4755dd9249c7c13fc76f
                          • Instruction Fuzzy Hash: D9111378E002098FCF09DFA8C591AEEBBB2AF49315F104469D411BB390DB755A45CFA0
                          Function 031AE290 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c58d65179b9cd0ebd00e68ce24e174fd6dd956fff81092ae5842759bc4242a9e
                          • Instruction ID: 33aab7a9ca993344bc9266c2609523d1b4471d115d899f0ea73e6422cf387da6
                          • Opcode Fuzzy Hash: c58d65179b9cd0ebd00e68ce24e174fd6dd956fff81092ae5842759bc4242a9e
                          • Instruction Fuzzy Hash: 6811F278E0021D8FCF08DFA8D550AEEBBB1AF49315F10946AD411BB390DB756A45CFA1
                          Function 031A7208 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c37ae0f2ca92ba6cdcbf17fd88904c4d434c34a299438f3860acb027fd4948e
                          • Instruction ID: 54363bbccae152de07daec7b97032cc671620e881ae8ca9c9118dfb1dc82c1fb
                          • Opcode Fuzzy Hash: 0c37ae0f2ca92ba6cdcbf17fd88904c4d434c34a299438f3860acb027fd4948e
                          • Instruction Fuzzy Hash: 65018734901208CFCB01EFA8E4849ECBFB4FF4A301F0558AAE148E7251DB32A868CB51
                          Function 031A8198 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f4dd697a8939a3cf3606a105b2bf2dbd42fcf4dc914f877d327e3acb8dad215
                          • Instruction ID: d0dbad2783c4cd1a6b4070054f435c530801afc185ed4e54865c1e2982f71929
                          • Opcode Fuzzy Hash: 8f4dd697a8939a3cf3606a105b2bf2dbd42fcf4dc914f877d327e3acb8dad215
                          • Instruction Fuzzy Hash: 8C01D234E00258CFCB24DFA8D858BEDFB72FB8A312F0090AAD509A7254C7315994CF55
                          Function 031A71D9 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 835d66d2a8a23ff96d735ecc3965a3da8cf37f9b20d046ac9c5482897c615a95
                          • Instruction ID: 942b16eb3bd4ff1e019c7b879d26026a2c302d0ddccdc613648e6fd888fa7933
                          • Opcode Fuzzy Hash: 835d66d2a8a23ff96d735ecc3965a3da8cf37f9b20d046ac9c5482897c615a95
                          • Instruction Fuzzy Hash: 7FE0172014E3C04FCB03CB3488512817FB1EF93314B0E99CB85808F693C569A819C7B2
                          Function 031A6360 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9f718c0244292ca7a7f317f94bf9adb2a85dc16cc5f76c643d83c32e2e74f81
                          • Instruction ID: 819dd9509234e4a7a893ccad58bc085f89de1e644b734d9f59b7951f1216b6c8
                          • Opcode Fuzzy Hash: d9f718c0244292ca7a7f317f94bf9adb2a85dc16cc5f76c643d83c32e2e74f81
                          • Instruction Fuzzy Hash: 15D0A7321142848FC706CB3484D1AD43F32DF6F10474698C1D08CCB007C622544BCB21
                          Function 031A7218 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c139f8e19a9be2ee15e0dc1a3746aaf4387bdf64713194e77b58fef6171faf7e
                          • Instruction ID: b788eab94e23231bd8a4b1228e1555d2df1d35bee6c95bb78f62b7db71d0bb83
                          • Opcode Fuzzy Hash: c139f8e19a9be2ee15e0dc1a3746aaf4387bdf64713194e77b58fef6171faf7e
                          • Instruction Fuzzy Hash: D0B0123000470E4BC740AB54F8455043B1EFE40314B407E15B20D67001BDA4298446C5
                          Function 031A6038 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 305fc7ee1548bfe5911c53538772243976c585bd811631a57acb259c5d461878
                          • Instruction ID: 3a6ab80f03f14702570fad715a0eaf4cc41669ef0d9ef2f7c38899a0086c923c
                          • Opcode Fuzzy Hash: 305fc7ee1548bfe5911c53538772243976c585bd811631a57acb259c5d461878
                          • Instruction Fuzzy Hash: 52B09239200000ABC204CB40C990C15F7A2EFD8308B28C49DA90D4B252CB33EC13EB00
                          Function 031AD2A0 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2950031266.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_31a0000_nitro_pro14.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab56b9be65b150dfd6bc3e611d9737e2323723e642f31e507300ed4790206bc0
                          • Instruction ID: 1c3c1f321516a053f1876d668528d56252fcbd39e9fa12eff37dc2cca47dfd20
                          • Opcode Fuzzy Hash: ab56b9be65b150dfd6bc3e611d9737e2323723e642f31e507300ed4790206bc0
                          • Instruction Fuzzy Hash: 73B012A140426315C70042604418F177D551760301F004811B38085080C8398020CAA4