Edit tour

Windows Analysis Report
Setup (1).exe

Overview

General Information

Sample name:	Setup (1).exe
Analysis ID:	1396397
MD5:	e55722d0c66670c13ca4bdf2025c12d7
SHA1:	50cd053864b3dbb3eb48de27d42c53bb5bc1e913
SHA256:	fa6578e355591999bce7d89b08c43d9a57ec379099cc9cc84a09a48c37f84900
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Contains functionality to check if the process is started with administrator privileges

Contains functionality to infect the boot sector

Found API chain indicative of debugger detection

Found stalling execution ending in API Sleep call

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Setup (1).exe (PID: 3944 cmdline: C:\Users\user\Desktop\Setup (1).exe MD5: E55722D0C66670C13CA4BDF2025C12D7)

chrome.exe (PID: 6280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1932,i,407126297342683316,15967472951187862023,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

Setupuser.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873 MD5: 6354C2FD7D3E21CB782A57AA601C44C8)

cmd.exe (PID: 7748 cmdline: cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

diskspd.exe (PID: 7800 cmdline: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp MD5: FC41CABDD3C18079985AC5F648F58A90)

chrome.exe (PID: 8100 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,4595683001610926679,17947632816078318060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

fast!.exe (PID: 7528 cmdline: C:\Program Files (x86)\Fast!\Fast!.exe MD5: CF118C6E3FAF9E10A566B4155AB5F2EF)

svchost.exe (PID: 6084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

FastSRV.exe (PID: 8112 cmdline: C:\Program Files (x86)\Fast!\FastSRV.exe MD5: CD46510547991D8DC8ED3BA175985E4D)

fast!.exe (PID: 7172 cmdline: C:\Program Files (x86)\fast!\fast!.exe MD5: CF118C6E3FAF9E10A566B4155AB5F2EF)

nw.exe (PID: 2864 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\. MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 5960 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ffda39aa970,0x7ffda39aa980,0x7ffda39aa990 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 5064 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 5984 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2396 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2500 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 7516 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1708532403761554 --launch-time-ticks=6663733321 --mojo-platform-channel-handle=2864 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:1 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

nw.exe (PID: 7068 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3364 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 4820 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3944 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 1412 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3848 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

nw.exe (PID: 4932 cmdline: "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4236 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2 MD5: D6644E8A0C3C48607EC424BAE0FEB47E)

fast!.exe (PID: 6348 cmdline: C:\Program Files (x86)\fast!\fast!.exe MD5: CF118C6E3FAF9E10A566B4155AB5F2EF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x13325e:$s2: ~ Shell I

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6084, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Fast!\FastSRV.exe	ReversingLabs: Detection: 58%
Source: C:\Program Files (x86)\Fast!\fast!.exe	ReversingLabs: Detection: 45%

Phishing

Source: https://veryfast.io/installing2.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	HTTP Parser: No favicon
Source: https://veryfast.io/installing2.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	HTTP Parser: No favicon
Source: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	HTTP Parser: No favicon

Compliance

Uses 32bit PE files

Source: Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Setup (1).exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: UxTheme.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: core.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw_elf.dll.pdb= source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowManagementAPI.pdbli.dll resources source: nw.exe, 00000013.00000003.2839794746.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840500534.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,ColorAdapterClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &Windows.Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\proc_booster\Release-Booster\proc_booster.pdb source: fast!.exe, 0000000E.00000000.2769320005.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: kernel32.pdb source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_sdk_win64\node-webkit\src\outst\nw\initialexe\nw.exe.pdb source: nw.exe, 00000012.00000000.2805895132.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000000.2815469653.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC7000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000000.2823375777.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000015.00000000.2847572150.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000016.00000000.2856410253.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000019.00000000.2874336337.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wkscli.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\dhcpcsvc6.DLLcore.pdb1' source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ThreadPoolServiceThreadTextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InputHost.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winspool.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wpnapps.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: "CoreMessaging.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\MMDevApi.dllponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdb.dll source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\FastSRV\Release\FastSRV.pdb source: FastSRV.exe, 0000000D.00000000.2765015549.000000000100E000.00000002.00000001.01000000.00000013.sdmp, FastSRV.exe, 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: Windows.UI.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\proc_booster\Release-Booster\proc_booster.pdb\ source: fast!.exe, 0000000E.00000000.2769320005.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: mscms.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,TextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdby source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: secur32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdbGCTL source: diskspd.exe, 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: netutils.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WinTypes.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,ColorAdapterClient.pdb] source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcsvc.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowManagementAPI.pdb source: nw.exe, 00000013.00000003.2839794746.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840500534.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: terClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdball_metrics.instalO source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &twinapi.appcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdbJk source: nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MMDevAPI.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\RMCLIENT.dllterClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw_elf.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdb source: diskspd.exe, diskspd.exe, 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: winhttp.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\WINTRUST.dlldll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RmClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dpapi.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fmpeg.dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: nw.exe, 00000012.00000003.2860431579.000002316ED46000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w_elf.dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,TextInputFramework.pdb&l source: nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw.dll.pdbr[ source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $Kernel.Appcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\DEVOBJ.dll.Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdb)* source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wintrust.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bcryptprimitives.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: nw.exe, 00000012.00000003.2863647667.000002316EE95000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860630745.000002316EE95000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wtsapi32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpapi.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: z:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: x:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: v:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: t:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: r:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: p:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: n:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: l:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: j:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: h:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: f:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: b:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: y:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: w:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: u:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: s:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: q:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: o:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: m:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: k:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: i:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: g:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: e:
Source: C:\Windows\explorer.exe	File opened: c:
Source: C:\Program Files (x86)\Fast!\fast!.exe	File opened: a:

Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C49
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_00406873 FindFirstFileW,FindClose,	7_2_00406873
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01006CAD FindFirstFileExW,	13_2_01006CAD
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0028C562 FindFirstFileExW,	17_2_0028C562
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3CC1C0 FindNextFileW,FindClose,FindFirstFileExW,GetLastError,GetFileAttributesW,	27_2_00007FF7CA3CC1C0

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\

Networking

Contains functionality to check if a connection to the internet is available

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_0023E880 InternetCheckConnectionW,InternetCheckConnectionW,InternetCheckConnectionW,RegCreateKeyW,RegSetKeyValueW,CloseHandle,

17_2_0023E880

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 69.192.108.161 69.192.108.161
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aglebug.H
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/14231360aD
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517B
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2871593480.000002316EDF1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/32067
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206x
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452)b_
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577Y
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584I
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584p
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586;
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970A
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970_
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324g
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384Cau
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428Abw
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551a
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551ple
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722i
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836n
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836v
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901/
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061e
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375cb
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535mb
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2871593480.000002316EDF1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881(
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881mp
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/59069
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906J
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906U
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906anced
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906mO
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906r
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906~
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041ja
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141l
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878gO
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953=
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953qb
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2871593480.000002316EDF1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488n_bptc
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2871593480.000002316EDF1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/77243-
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724Qag
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761xa
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/81628bL
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229q
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229wb
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280eak
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8291
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8291R
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8297
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/82979aO
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8297=bC
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8297d
Source: nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937575238.0000398000540000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937524440.000039800053C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932769401.0000398000538000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932602190.0000398000534000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://api.jquery.com/animate/
Source: explorer.exe, 0000001A.00000000.2902922002.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Setup (1).exe, 00000000.00000003.2398759758.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: nw.exe, 00000019.00000003.2938070401.00003980005AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://chartjs.org/
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nw.exe, 00000019.00000003.3053607155.000001C4AED1B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AED1B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AED1B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AED1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl3
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlZ
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: explorer.exe, 0000001A.00000000.2902922002.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Setup (1).exe, 00000000.00000003.2398759758.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: explorer.exe, 0000001A.00000000.2902922002.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Setup (1).exe, 00000000.00000003.2398759758.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886922219.0000398000474000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crrev.com/c/2555698.
Source: svchost.exe, 00000004.00000003.2860755611.000002657AAC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: nw.exe, 00000019.00000003.2891146503.000001C42DA0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: svchost.exe, 00000004.00000003.2235564131.000002657AAC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: nw.exe, 00000019.00000003.2939533179.000001C42DA02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comT
Source: nw.exe, 00000012.00000003.2856228361.000002316E46F000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E46F000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.imgur.com/pT0i89v.png
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: nw.exe, 00000019.00000003.2937862084.000039800054C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kottenator.github.io/jquery-circle-progress/
Source: Setup (1).exe, 00000000.00000000.2142096335.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Setup (1).exe, 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Setupuser.exe, 00000007.00000000.2384322424.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Setupuser.exe, 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup (1).exe, 00000000.00000003.2398759758.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.2902922002.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000001A.00000000.2902922002.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052460691.000001C4AEF63000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: nw.exe, 00000019.00000003.3052460691.000001C4AEF63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/C
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/K
Source: explorer.exe, 0000001A.00000000.2900973229.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.2897497933.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.2900950643.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: nw.exe, 00000019.00000003.3067998583.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nw.exe, 00000019.00000003.3030093002.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3067152469.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3066068694.000001C42D9E6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3024117196.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3036345374.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3021575713.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3067998583.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0radnlcoJ
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: nw.exe, 00000019.00000003.3060970751.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEE56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/M8vg
Source: Setup (1).exe, 00000000.00000003.2398759758.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/43r
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser;3O
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standardW0
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies?_3
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864266456.000002316E506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864266456.000002316E506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos._
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chromeF_
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop8_
Source: nw.exe, 00000012.00000003.2850944838.000002316E3F2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E3EE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: nw.exe, 00000012.00000003.2850944838.000002316E3F2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E3EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABJ
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke$_
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multiloginDisabled
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/pG
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1J3
Source: explorer.exe, 0000001A.00000003.2979155488.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.2903911007.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000001A.00000000.2910882616.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845mat
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162C
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162e_etc
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308Zbb
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/73195
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369%
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369Pbd
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369hb
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369nb
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369o
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899u
Source: explorer.exe, 0000001A.00000000.2902922002.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001A.00000000.2902922002.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 0000001A.00000000.2902922002.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB1
Source: nw.exe, 00000012.00000003.2860630745.000002316EE7C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EEE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GBWeb
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/c
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/m
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxp
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: nw.exe	String found in binary or memory: https://crashpad.chromium.org/
Source: nw.exe	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: nw.exe, 00000012.00000000.2805895132.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000000.2815469653.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000014.00000000.2823375777.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000015.00000000.2847572150.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000016.00000000.2856410253.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000019.00000000.2874336337.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900A02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1297276
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900A02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1309302
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900A42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/701034
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
Source: nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937575238.0000398000540000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937524440.000039800053C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932769401.0000398000538000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932602190.0000398000534000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D.lineCap
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: explorer.exe, 0000001A.00000000.2910882616.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2983282897.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.3076180728.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2985772392.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: nw.exe, 00000019.00000003.2886506801.000001C42BECA000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886467690.000001C42DAD1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fullscreen.spec.whatwg.org/#user-agent-level-style-sheet-defaults:
Source: svchost.exe, 00000004.00000003.2235564131.000002657AB1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.2235564131.000002657AAC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: nw.exe, 00000019.00000003.2938070401.00003980005AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chartjs/Chart.js/blob/master/LICENSE.md
Source: nw.exe, 00000019.00000003.3056426420.00005349005C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: nw.exe, 00000019.00000003.3056426420.00005349005C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: nw.exe, 00000019.00000003.3055363877.0000534900AC2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/2025.
Source: nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: nw.exe, 00000019.00000003.3055363877.0000534900AC2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: nw.exe, 00000019.00000003.3056426420.00005349005C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2890905104.000001C42DCB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2890672365.000001C42DCB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: nw.exe, 00000019.00000003.3055363877.0000534900AC2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.0000534900502000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: nw.exe, 00000019.00000003.3055363877.0000534900AC2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.0000534900502000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/32887
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: nw.exe, 00000019.00000003.3055363877.0000534900AC2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.0000534900502000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35941
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: nw.exe, 00000019.00000003.3052983007.00005349003C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/44004#discussion_r930958420
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46528
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/48477#issuecomment-1604586650
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: nw.exe, 00000019.00000003.2937862084.000039800054C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/umdjs/umd/blob/d31bb6ee7098715e019f52bdfe27b3e4bfd2b97e/templates/jqueryPlugin.js
Source: nw.exe, 00000019.00000003.2886506801.000001C42BECA000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886467690.000001C42DAD1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/6939#issuecomment-1016679588
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: nw.exe, 00000012.00000003.2850944838.000002316E3F2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E3EE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/hangedX
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: nw.exe, 00000019.00000003.2886506801.000001C42BECA000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886467690.000001C42DAD1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/C/#the-details-and-summary-elements
Source: nw.exe, 00000019.00000003.2886506801.000001C42BECA000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886467690.000001C42DAD1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#flow-content-3
Source: nw.exe, 00000019.00000003.2886506801.000001C42BECA000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886467690.000001C42DAD1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2887272508.000039800048C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2886972182.0000398000480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements
Source: nw.exe, 00000019.00000003.3047534576.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900702000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#forgiving-base64-decode
Source: nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903ertex
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748lo
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/2748591044o
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263X
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/288119108
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/292285899
Source: nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273WL
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyf
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhonefa
Source: nw.exe, 00000019.00000003.3047534576.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900702000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: nw.exe, 00000019.00000003.3052983007.0000534900482000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.7.0/node-v20.7.0-headers.tar.gz
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.7.0/node-v20.7.0.tar.gz
Source: nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/download/release/v20.7.0/win-x64/node.lib
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: explorer.exe, 0000001A.00000000.2910882616.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2983282897.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.3076180728.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2985772392.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 0000001A.00000000.2910882616.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: nw.exe, 00000019.00000003.3047534576.0000534900642000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: nw.exe, 00000019.00000003.3047534576.0000534900642000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repcdn.veryfast.io/
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repcdn.veryfast.io/download/2.334/Setupuser.exe
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repcdn.veryfast.io/download/2.334/Setupuser.exe0
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repcdn.veryfast.io/eer
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=dummytoken
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/h
Source: nw.exe, 00000019.00000003.3052983007.00005349003C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: nw.exe, 00000019.00000003.3047534576.0000534900642000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: fast!.exe, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp, nw.exe, 00000019.00000003.3044127165.0000398000664000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3043484535.0000398000664000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/-end-point:
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/O
Source: fast!.exe, 0000000E.00000003.2807235307.0000000004566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/V
Source: Setup (1).exe, 00000000.00000002.2399775782.0000000000619000.00000004.00000020.00020000.00000000.sdmp, Setup (1).exe, 00000000.00000003.2398778503.0000000000619000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/aZ
Source: fast!.exe, 0000000E.00000003.2804642757.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/api/fast.php?a=configList&guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&version=2.33
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/cpg.php?src=fast_mini&guid=
Source: Setup (1).exe, 00000000.00000003.2398778503.0000000000619000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/cpg.php?src=fast_mini&guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/download.php?user=1&guid=
Source: Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/download.php?user=1&guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066
Source: fast!.exe, 0000000E.00000003.2807235307.0000000004566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/g
Source: fast!.exe, 0000000E.00000003.2807235307.0000000004566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/h
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/inst_addon.php?guid=
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/inst_excl.php?guid=
Source: Setupuser.exe, 00000007.00000002.2783376835.0000000000701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873(
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=17085340664808735
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873R
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873j
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installing.html?guid=
Source: Setup (1).exe, 00000000.00000003.2398837127.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Source: nw.exe, 00000019.00000003.3137423278.0000534900682000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/keys/4D802742-3099-9C0E-C19B-2A23EA1FC420.license
Source: Setupuser.exe, 00000007.00000002.2783376835.0000000000701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=&version=&evt_src=installer&evt_action=cancel
Source: Setup (1).exe, 00000000.00000003.2398778503.0000000000619000.00000004.00000020.00020000.00000000.sdmp, Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&evt_s
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&versi
Source: fast!.exe, 0000000E.00000003.2807235307.0000000004561000.00000004.00000020.00020000.00000000.sdmp, fast!.exe, 0000000E.00000003.2807235307.0000000004566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&version=2.334&evt_src=Fast
Source: nw.exe, 00000019.00000003.3061744110.0000534900682000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3042520302.000001C4AEDCD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900382000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&version=2.334&evt_src=produc
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/privacy.html?guid=By
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/ram
Source: Setupuser.exe, 00000007.00000002.2783376835.0000000000701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/register.php?guid=
Source: Setupuser.exe, 00000007.00000002.2783609286.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2780591249.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/register.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&ch
Source: Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/tos.html?guid=
Source: fast!.exe, 0000000E.00000003.2807235307.000000000453F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io:443/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&version=2.334&evt_src=Fa
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: nw.exe, 00000019.00000003.3056426420.00005349005C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000001A.00000003.2979155488.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.2903911007.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 0000001A.00000000.2910882616.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2983282897.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.3076180728.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2985772392.000000000C071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: nw.exe, 00000019.00000003.3052983007.00005349003C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico=
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/P
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profileC_
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfoOST
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfoh_
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token_hostb3
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/5_
Source: nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/u35
Source: nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/uG
Source: nw.exe, 00000019.00000003.3054420308.00005349004C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6266#section-4.3
Source: nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Setup (1).exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_002437A0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount64,GetTickCount64,GetTickCount64,

17_2_002437A0

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Abnormal high CPU Usage

Source: C:\Program Files (x86)\Fast!\fast!.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Code function: 10_2_01001446 NtQuerySystemInformation,NtQuerySystemInformation,

10_2_01001446

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Code function: 10_2_01000FB0: CreateEventA,GetLastError,DeviceIoControl,GetLastError,WaitForSingleObject,GetLastError,CloseHandle,

10_2_01000FB0

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01001260 WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,GetLastError,GetLastError,wsprintfW,wsprintfW,DuplicateTokenEx,wsprintfW,wsprintfW,ConvertStringSidToSidW,wsprintfW,GetLengthSid,SetTokenInformation,wsprintfW,CloseHandle,wsprintfW,CreateProcessAsUserW,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,GetLastError,wsprintfW,DestroyEnvironmentBlock,CloseHandle,CloseHandle,GetLastError,wsprintfW,CloseHandle,CloseHandle,GetLastError,wsprintfW,

13_2_01001260

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040352D
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		7_2_0040352D

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6280_223928296

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_0040755C	7_2_0040755C
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_00406D85	7_2_00406D85
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_01001F60	10_2_01001F60
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_00FFD640	10_2_00FFD640
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_0100D451	13_2_0100D451
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0024DB70	17_2_0024DB70
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0022C000	17_2_0022C000
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0029028C	17_2_0029028C
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0024C430	17_2_0024C430
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_002744B0	17_2_002744B0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0024C640	17_2_0024C640
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_002367E0	17_2_002367E0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0027A8B1	17_2_0027A8B1
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0022C000	17_2_0022C000
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0028EB0E	17_2_0028EB0E
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0027CB6E	17_2_0027CB6E
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0027EBA0	17_2_0027EBA0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0027AC10	17_2_0027AC10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0022AEC0	17_2_0022AEC0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_002231E0	17_2_002231E0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_002531E0	17_2_002531E0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00227580	17_2_00227580
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0022F5F5	17_2_0022F5F5
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0024B970	17_2_0024B970
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0028BAE6	17_2_0028BAE6
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00235BB0	17_2_00235BB0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00283CB8	17_2_00283CB8
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0022BDB0	17_2_0022BDB0
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0024FDE0	17_2_0024FDE0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3AFC00	27_2_00007FF7CA3AFC00
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA35CB82	27_2_00007FF7CA35CB82
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA384B80	27_2_00007FF7CA384B80
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA379B22	27_2_00007FF7CA379B22
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA372B20	27_2_00007FF7CA372B20
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA36EB50	27_2_00007FF7CA36EB50
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3DABE0	27_2_00007FF7CA3DABE0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA40FC10	27_2_00007FF7CA40FC10
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA38AC70	27_2_00007FF7CA38AC70
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA385C70	27_2_00007FF7CA385C70
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA373CF8	27_2_00007FF7CA373CF8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA49ECF8	27_2_00007FF7CA49ECF8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA393C9D	27_2_00007FF7CA393C9D
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4D1960	27_2_00007FF7CA4D1960
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4CF930	27_2_00007FF7CA4CF930
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3B5950	27_2_00007FF7CA3B5950
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3BF9B0	27_2_00007FF7CA3BF9B0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4BCA4C	27_2_00007FF7CA4BCA4C
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA372F84	27_2_00007FF7CA372F84
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA36DF38	27_2_00007FF7CA36DF38
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA384FE0	27_2_00007FF7CA384FE0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4A1000	27_2_00007FF7CA4A1000
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA382070	27_2_00007FF7CA382070
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3DA040	27_2_00007FF7CA3DA040
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3860E0	27_2_00007FF7CA3860E0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA38DD40	27_2_00007FF7CA38DD40
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA393D46	27_2_00007FF7CA393D46
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA360DD8	27_2_00007FF7CA360DD8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA371DF4	27_2_00007FF7CA371DF4
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA35BD9C	27_2_00007FF7CA35BD9C
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA377E48	27_2_00007FF7CA377E48
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3733E8	27_2_00007FF7CA3733E8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4A1408	27_2_00007FF7CA4A1408
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3853C0	27_2_00007FF7CA3853C0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4C64E4	27_2_00007FF7CA4C64E4
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3834F0	27_2_00007FF7CA3834F0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA39B4D0	27_2_00007FF7CA39B4D0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3B0150	27_2_00007FF7CA3B0150
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA357150	27_2_00007FF7CA357150
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4A1204	27_2_00007FF7CA4A1204
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4C61FC	27_2_00007FF7CA4C61FC
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3941A0	27_2_00007FF7CA3941A0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA372258	27_2_00007FF7CA372258
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA385220	27_2_00007FF7CA385220
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA390230	27_2_00007FF7CA390230
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4AE24C	27_2_00007FF7CA4AE24C
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA355252	27_2_00007FF7CA355252
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA35C300	27_2_00007FF7CA35C300
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA49E760	27_2_00007FF7CA49E760
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA35474C	27_2_00007FF7CA35474C
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA385800	27_2_00007FF7CA385800
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA36A810	27_2_00007FF7CA36A810
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA373870	27_2_00007FF7CA373870
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4A984C	27_2_00007FF7CA4A984C
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4C68DC	27_2_00007FF7CA4C68DC
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3DC910	27_2_00007FF7CA3DC910
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA38B8A0	27_2_00007FF7CA38B8A0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA399530	27_2_00007FF7CA399530
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4A6520	27_2_00007FF7CA4A6520
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3B6660	27_2_00007FF7CA3B6660
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA356660	27_2_00007FF7CA356660
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA35C630	27_2_00007FF7CA35C630
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3E46E0	27_2_00007FF7CA3E46E0
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3726BC	27_2_00007FF7CA3726BC

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll 7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 00273080 appears 45 times
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 00272ACB appears 80 times
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 002222E0 appears 47 times
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 00272186 appears 44 times
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 00272A98 appears 114 times
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: String function: 00222530 appears 44 times
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: String function: 01002070 appears 34 times
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: String function: 00007FF7CA3B4380 appears 31 times
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: String function: 00007FF7CA35211D appears 32 times
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: String function: 00007FF7CA355C64 appears 372 times
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: String function: 00FF9AB6 appears 47 times
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: String function: 00FFC52F appears 37 times
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: String function: 0100834C appears 49 times

PE file contains more sections than normal

Source: nw.dll.7.dr	Static PE information: Number of sections : 16 > 10
Source: libGLESv2.dll0.7.dr	Static PE information: Number of sections : 13 > 10
Source: vk_swiftshader.dll.7.dr	Static PE information: Number of sections : 12 > 10
Source: ffmpeg.dll.7.dr	Static PE information: Number of sections : 12 > 10
Source: libEGL.dll0.7.dr	Static PE information: Number of sections : 13 > 10
Source: node.dll.7.dr	Static PE information: Number of sections : 12 > 10
Source: vulkan-1.dll.7.dr	Static PE information: Number of sections : 12 > 10
Source: nw_elf.dll.7.dr	Static PE information: Number of sections : 15 > 10
Source: nw.exe.7.dr	Static PE information: Number of sections : 14 > 10

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: kbdus.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: twinapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: windows.ui.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: inputhost.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mdmregistration.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mdmregistration.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: omadmapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dmcmnutils.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iri.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mscms.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: coloradapterclient.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dsreg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wpnapps.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rmclient.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: usermgrcli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: windows.media.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wlanapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: atlthunk.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wlanapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: pcpksp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: tbs.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ncryptprov.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mfplat.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rtworkq.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Fast!\fast!.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: node.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: node.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwritecore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: nw_elf.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: ffmpeg.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Section loaded: dhcpcsvc.dll

Uses 32bit PE files

Source: Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: classification engine

Classification label: mal42.spyw.evad.winEXE@58/352@0/25

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Code function: 27_2_00007FF7CA355FB0 FormatMessageA,GetLastError,

27_2_00007FF7CA355FB0

Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040352D
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	7_2_0040352D
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_01001175 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,FindCloseChangeNotification,	10_2_01001175
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0023E500 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,	17_2_0023E500

Source: C:\Users\user\Desktop\Setup (1).exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\Setup (1).exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_00222D20 LoadResource,LockResource,SizeofResource,

17_2_00222D20

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01001050 StartServiceCtrlDispatcherW,GetLastError,

13_2_01001050

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01001050 StartServiceCtrlDispatcherW,GetLastError,

13_2_01001050

Source: C:\Users\user\Desktop\Setup (1).exe

File created: C:\Program Files (x86)\Fast!

Jump to behavior

Source: C:\Users\user\Desktop\Setup (1).exe

File created: C:\Users\user\AppData\Local\FAST!

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ChromeProcessSingletonStartup!

Source: C:\Users\user\Desktop\Setup (1).exe

File created: C:\Users\user\AppData\Local\Temp\nsb9573.tmp

Jump to behavior

Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: /noui	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: /noui	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: 9[+	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: Local\fast!	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: <[+	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: Local\fast!	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: @[+	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: D[+	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: ui\.	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: nwjs\nw	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: open	17_2_00251E10
Source: C:\Program Files (x86)\Fast!\fast!.exe	Command line argument: ^N)	17_2_00294DB0

Source: Setup (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Users\user\Desktop\Setup (1).exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_autofill_1','autofill',#4,NULL);M
Source: nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_autofill_1','autofill',#4,NULL);
Source: nw.exe, 00000012.00000003.2849600888.000002316EDA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, date_created, blacklisted_by_user, scheme, password_type, times_used, form_data, display_name, icon_url, federation_url, skip_zero_click, generation_upload_status, possible_username_pairs, id, date_last_used, moving_blocked_for, date_password_modified, sender_email, sender_name, date_received, sharing_notification_displayed, keychain_identifier FROM logins WHERE blacklisted_by_user == ? ORDER BY origin_url@WD;
Source: nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_local_addresses_1','local_addresses',#4,NULL);te', rootpage=#2, sql=
Source: nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE logins SET action_url=?, password_value=?, submit_element=?, date_created=?, blacklisted_by_user=?, scheme=?, password_type=?, times_used=?, form_data=?, display_name=?, icon_url=?, federation_url=?, skip_zero_click=?, generation_upload_status=?, possible_username_pairs=?, date_last_used=?, moving_blocked_for=?, date_password_modified=?, sender_email=?, sender_name=?, date_received=?, sharing_notification_displayed=?, keychain_identifier=? WHERE origin_url=? AND username_element=? AND username_value=? AND password_element=? AND signon_realm=?m32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;C:\Users\user\AppData\Local\Microsoft\WindowsApps
Source: nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_local_addresses_1','local_addresses',#4,NULL);
Source: nw.exe, 00000012.00000003.2863469694.000002316EE0B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2846338027.000002316EE1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: nw.exe, 00000012.00000003.2849600888.000002316EDA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_contact_info_type_tokens_1','contact_info_type_tokens',#4,NULL);\wasm0N
Source: nw.exe, 00000012.00000003.2849600888.000002316EDA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','sqlite_autoindex_contact_info_type_tokens_1','contact_info_type_tokens',#4,NULL);

Source: diskspd.exe	String found in binary or memory: <LoadImage>%I64u</LoadImage>
Source: diskspd.exe	String found in binary or memory: Error creating/opening force-stop event: '%s'
Source: diskspd.exe	String found in binary or memory: Error creating/opening wait-for-start event: '%s'
Source: nw.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: nw.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: nw.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: nw.exe	String found in binary or memory: Try '%ls --help' for more information.

Source: C:\Users\user\Desktop\Setup (1).exe

File read: C:\Users\user\Desktop\Setup (1).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup (1).exe C:\Users\user\Desktop\Setup (1).exe
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1932,i,407126297342683316,15967472951187862023,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe "C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Source: unknown	Process created: C:\Program Files (x86)\Fast!\FastSRV.exe C:\Program Files (x86)\Fast!\FastSRV.exe
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\fast!\fast!.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,4595683001610926679,17947632816078318060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\Fast!\Fast!.exe
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\.
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ffda39aa970,0x7ffda39aa980,0x7ffda39aa990
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2396 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2500 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\fast!\fast!.exe
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1708532403761554 --launch-time-ticks=6663733321 --mojo-platform-channel-handle=2864 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:1
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3364 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3944 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3848 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4236 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe "C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1932,i,407126297342683316,15967472951187862023,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\Fast!\Fast!.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,4595683001610926679,17947632816078318060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\fast!\fast!.exe	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process created: C:\Program Files (x86)\Fast!\fast!.exe C:\Program Files (x86)\fast!\fast!.exe	Jump to behavior
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\.
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ffda39aa970,0x7ffda39aa980,0x7ffda39aa990
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2396 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2500 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1708532403761554 --launch-time-ticks=6663733321 --mojo-platform-channel-handle=2864 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:1
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3364 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3944 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3848 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4236 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2

Source: C:\Users\user\Desktop\Setup (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Fast!.lnk.7.dr	LNK file: ..\..\..\Program Files (x86)\Fast!\fast!.exe
Source: Uninstall.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Fast!\uninstaller.exe
Source: Fast!.lnk0.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Fast!\fast!.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Windows\explorer.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

PE / OLE file has a valid certificate

Source: Setup (1).exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: UxTheme.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: core.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw_elf.dll.pdb= source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowManagementAPI.pdbli.dll resources source: nw.exe, 00000013.00000003.2839794746.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840500534.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,ColorAdapterClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &Windows.Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\proc_booster\Release-Booster\proc_booster.pdb source: fast!.exe, 0000000E.00000000.2769320005.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: kernel32.pdb source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_sdk_win64\node-webkit\src\outst\nw\initialexe\nw.exe.pdb source: nw.exe, 00000012.00000000.2805895132.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000000.2815469653.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC7000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000000.2823375777.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000015.00000000.2847572150.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000016.00000000.2856410253.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000019.00000000.2874336337.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wkscli.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\dhcpcsvc6.DLLcore.pdb1' source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ThreadPoolServiceThreadTextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InputHost.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winspool.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wpnapps.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: "CoreMessaging.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\MMDevApi.dllponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdb.dll source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\FastSRV\Release\FastSRV.pdb source: FastSRV.exe, 0000000D.00000000.2765015549.000000000100E000.00000002.00000001.01000000.00000013.sdmp, FastSRV.exe, 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: Windows.UI.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Build_vfs_2.334_D20240202T154808\veryfast.io\proc_booster\Release-Booster\proc_booster.pdb\ source: fast!.exe, 0000000E.00000000.2769320005.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: mscms.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,TextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdby source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: secur32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dpapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdbGCTL source: diskspd.exe, 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: netutils.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WinTypes.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,ColorAdapterClient.pdb] source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcsvc.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowManagementAPI.pdb source: nw.exe, 00000013.00000003.2839794746.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840500534.0000026D91C7B000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: terClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdball_metrics.instalO source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &twinapi.appcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdbJk source: nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MMDevAPI.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\RMCLIENT.dllterClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw_elf.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\rs1.obj.x86fre\sdktools\srvperf\diskspd.oss\cmdrequestcreator\objfre\i386\diskspd.pdb source: diskspd.exe, diskspd.exe, 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: winhttp.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System32\WINTRUST.dlldll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RmClient.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dpapi.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fmpeg.dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: nw.exe, 00000012.00000003.2860431579.000002316ED46000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w_elf.dll.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,TextInputFramework.pdb&l source: nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\nw.dll.pdbr[ source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $Kernel.Appcore.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\DEVOBJ.dll.Storage.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TextInputFramework.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: nw.exe, 00000013.00000003.2840039452.0000026D8FF06000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (CoreUIComponents.pdb)* source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wintrust.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bcryptprimitives.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: nw.exe, 00000012.00000003.2863647667.000002316EE95000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860630745.000002316EE95000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: nw.exe, 00000013.00000003.2841979994.0000026D8FEB6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wtsapi32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840925193.0000026D8FEC4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nw82_win64\node-webkit\src\outst\nw\ffmpeg.dll.pdb source: nw.exe, 00000013.00000003.2836486724.0000026D91CA1000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839281962.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2836653450.0000026D91CA2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2841849874.0000026D8FEC2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpapi.pdby source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: nw.exe, 00000013.00000003.2840607139.0000026D8FEB9000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2843109338.0000026D8FEBE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840762272.0000026D8FEBB000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2840789453.0000026D8FEBC000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2838871366.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000013.00000003.2839875382.0000026D91E44000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_00240150 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,

17_2_00240150

PE file contains an invalid checksum

Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: System.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: libGLESv2.dll0.7.dr	Static PE information: real checksum: 0x0 should be: 0x69cd14
Source: vk_swiftshader.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x45629c
Source: nsExec.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xde0c
Source: ffmpeg.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1ffb7a
Source: inetc.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x13c41
Source: libEGL.dll0.7.dr	Static PE information: real checksum: 0x0 should be: 0x72fff
Source: SimpleSC.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1119d4
Source: libEGL.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x25219
Source: Setup (1).exe	Static PE information: real checksum: 0x1b7ab should be: 0x26447
Source: vulkan-1.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0xe54f7
Source: uninstaller.exe.7.dr	Static PE information: real checksum: 0x7d4cd54 should be: 0x7a44e
Source: nw_elf.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1203a0
Source: libGLESv2.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1f9bbb
Source: inetc.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x13c41
Source: nsDialogs.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2f9b

PE file contains sections with non-standard names

Source: SimpleSC.dll.7.dr	Static PE information: section name: .didata
Source: ffmpeg.dll.7.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.7.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.7.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.7.dr	Static PE information: section name: .voltbl
Source: ffmpeg.dll.7.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.7.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.7.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.7.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.7.dr	Static PE information: section name: .voltbl
Source: libEGL.dll0.7.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.7.dr	Static PE information: section name: malloc_h
Source: libGLESv2.dll0.7.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.7.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.7.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.7.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll0.7.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.7.dr	Static PE information: section name: malloc_h
Source: node.dll.7.dr	Static PE information: section name: .00cfg
Source: node.dll.7.dr	Static PE information: section name: .gxfg
Source: node.dll.7.dr	Static PE information: section name: .retplne
Source: node.dll.7.dr	Static PE information: section name: .voltbl
Source: node.dll.7.dr	Static PE information: section name: _RDATA
Source: nw.dll.7.dr	Static PE information: section name: .00cfg
Source: nw.dll.7.dr	Static PE information: section name: .gxfg
Source: nw.dll.7.dr	Static PE information: section name: .retplne
Source: nw.dll.7.dr	Static PE information: section name: .rodata
Source: nw.dll.7.dr	Static PE information: section name: .voltbl
Source: nw.dll.7.dr	Static PE information: section name: CPADinfo
Source: nw.dll.7.dr	Static PE information: section name: LZMADEC
Source: nw.dll.7.dr	Static PE information: section name: _RDATA
Source: nw.dll.7.dr	Static PE information: section name: malloc_h
Source: nw.exe.7.dr	Static PE information: section name: .00cfg
Source: nw.exe.7.dr	Static PE information: section name: .gxfg
Source: nw.exe.7.dr	Static PE information: section name: .retplne
Source: nw.exe.7.dr	Static PE information: section name: .voltbl
Source: nw.exe.7.dr	Static PE information: section name: CPADinfo
Source: nw.exe.7.dr	Static PE information: section name: _RDATA
Source: nw.exe.7.dr	Static PE information: section name: malloc_h
Source: nw_elf.dll.7.dr	Static PE information: section name: .00cfg
Source: nw_elf.dll.7.dr	Static PE information: section name: .crthunk
Source: nw_elf.dll.7.dr	Static PE information: section name: .gxfg
Source: nw_elf.dll.7.dr	Static PE information: section name: .retplne
Source: nw_elf.dll.7.dr	Static PE information: section name: .voltbl
Source: nw_elf.dll.7.dr	Static PE information: section name: CPADinfo
Source: nw_elf.dll.7.dr	Static PE information: section name: _RDATA
Source: nw_elf.dll.7.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.7.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.7.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.7.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.7.dr	Static PE information: section name: .voltbl
Source: vk_swiftshader.dll.7.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.7.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.7.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.7.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.7.dr	Static PE information: section name: .voltbl
Source: vulkan-1.dll.7.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_0100D7A9 push ecx; ret	10_2_0100D7BC
Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_0100D0E7 push ecx; ret	10_2_0100D0FA
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_0100DB61 push ecx; ret	13_2_0100DB74
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00272A75 push ecx; ret	17_2_00272A88
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA392497 push rbp; ret	27_2_00007FF7CA392498

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Code function: __EH_prolog3_GS,srand,GetCurrentThread,SetThreadGroupAffinity,atoi,sprintf_s,isalpha,sprintf_s,CreateFileA,SetFileInformationByHandle,GetFileSize,GetLastError,__aulldiv,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetFilePointerEx,GetLastError,GetLastError,GetLastError,GetLastError,WaitForSingleObject,GetLastError,Sleep,ReadFile,WriteFile,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetFilePointerEx,GetLastError,CreateIoCompletionPort,GetLastError,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,WaitForSingleObject,VirtualFree,FindCloseChangeNotification,CloseHandle,??3@YAXPAX@Z, \\.\PhysicalDrive%u

10_2_01001F60

Drops PE files

Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\node.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\nw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\uninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\fast!.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\FastSRV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Program Files (x86)\Fast!\nwjs\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

10_2_01001F60

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fast!	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fast!\Uninstall.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fast!\Fast!.lnk	Jump to behavior

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01001050 StartServiceCtrlDispatcherW,GetLastError,

13_2_01001050

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Setup (1).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to check if the process is started with administrator privileges

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_0024B970 EnumProcesses,GetTickCount64,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetModuleHandleW,GetProcAddress,OpenProcess,CloseHandle,

17_2_0024B970

Found stalling execution ending in API Sleep call

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Stalling execution: Execution stalls by calling Sleep

graph_13-6772

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId, ServiceType FROM Win32_Service
Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId, ServiceType FROM Win32_Service
Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId, ServiceType FROM Win32_Service

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Code function: 27_2_00007FF7CA389AF0 rdtsc

27_2_00007FF7CA389AF0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Fast!\fast!.exe	Window / User API: threadDelayed 4392
Source: C:\Program Files (x86)\Fast!\fast!.exe	Window / User API: threadDelayed 3089
Source: C:\Program Files (x86)\Fast!\fast!.exe	Window / User API: foregroundWindowGot 1697
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 413
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 404

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\nw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Fast!\uninstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\inetc.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Program Files (x86)\Fast!\fast!.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_13-6779

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	API coverage: 7.2 %
Source: C:\Program Files (x86)\Fast!\fast!.exe	API coverage: 7.6 %
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	API coverage: 5.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 1032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 4392 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep time: -4392000s >= -30000s
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 5060	Thread sleep count: 159 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 36 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 82 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep count: 3089 > 30
Source: C:\Program Files (x86)\Fast!\fast!.exe TID: 7676	Thread sleep time: -3089000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries keyboard layouts

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Product FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Version FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\Fast!\fast!.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\wasm FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\js FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default\blob_storage\4a61026f-bc63-48a9-9d14-f90bfcfd1b79 FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default FullSizeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File Volume queried: C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data FullSizeInformation

Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Setup (1).exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C49
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_00406873 FindFirstFileW,FindClose,	7_2_00406873
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Code function: 7_2_0040290B FindFirstFileW,	7_2_0040290B
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01006CAD FindFirstFileExW,	13_2_01006CAD
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0028C562 FindFirstFileExW,	17_2_0028C562
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA3CC1C0 FindNextFileW,FindClose,FindFirstFileExW,GetLastError,GetFileAttributesW,	27_2_00007FF7CA3CC1C0

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Code function: 27_2_00007FF7CA354688 GetSystemInfo,

27_2_00007FF7CA354688

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	File opened: C:\Users\user\AppData\

Source: explorer.exe, 0000001A.00000000.2902922002.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: Setup (1).exe, 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Click Next to continue.cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }
Source: fast!.exe, 00000011.00000003.2793150906.00000000008E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Setup (1).exe, 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: el%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }
Source: Setup (1).exe, 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: 24s_name": "Microsoft+Windows+10+Pro", "os_installdate": "20231003105718%2E000000%2B120", "os_processes": "106", "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }03000200-0400-0500-0006-000700080009sion\Uninstall
Source: explorer.exe, 0000001A.00000003.2982915704.000000000C4FA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: Setup (1).exe, 00000000.00000003.2398837127.00000000005B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.i_{
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&ch=&version=2.334&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft%20Windows%2010%20Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware,%20Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39%20SCSI%20Disk%20Device&disk_size=412300001200&sec_as=&sec_av=Windows%20Defender&sec_fw=&bios_releasedate=20221121000000.000000+000L2
Source: explorer.exe, 0000001A.00000000.2896629295.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Setup (1).exe, 00000000.00000002.2399775782.0000000000619000.00000004.00000020.00020000.00000000.sdmp, Setup (1).exe, 00000000.00000003.2398778503.0000000000619000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2783609286.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2780591249.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2399728046.000000000075B000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2783609286.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2399491267.000000000075A000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2780591249.0000000000745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.2902922002.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Setup (1).exe, 00000000.00000003.2145612557.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Zntel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", 03000200-0400-0500-0006-00070008000912345678-1234-5678-90AB-CDDEEFAABBCC
Source: fast!.exe, 00000011.00000003.2793150906.00000000008E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductPFZL634D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.None3
Source: Setup (1).exe, 00000000.00000002.2399775782.0000000000619000.00000004.00000020.00020000.00000000.sdmp, Setup (1).exe, 00000000.00000003.2398778503.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7o5
Source: explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Setupuser.exe, 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: Remove folder: ted successfully.ST!\Temp0.tmp\inetc.dll2A23EA1FC420&_fcid=1708534066480873&version=2.334&evt_src=installer&evt_action=error_mini_empty_pathoft Windows 10 Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware, Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39 SCSI Disk Device&disk_size=412300001200&sec_as=&sec_av=Windows Defender&sec_fw=&bios_releasedate=20221121000000.000000+000sedate=20221121000000.000000+000
Source: Setupuser.exe, 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: getsers\user\AppData\Local\Temp\nsjF660.tmp\inetc.dlllln\chrome.exe.exeEgzHAhJBvX\OyFaUVEiUHqMTkmIRQejtSKH.exeexexechitecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware, Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39 SCSI Disk Device&disk_size=412300001200&sec_as=&sec_av=Windows Defender&sec_fw=&bios_releasedate=20221121000000.000000+000C:\Users\user\AppData\Local\FAST!\Temp\emp_settingsgoneh9B-2A23EA1FC420&_fcid=1708534066480873C:\Users\user\AppData\Local\Temp\nsjF660.tmp-11ce-bfc1-08002be10318}\00010873C:\Users\user\AppData\Local\Temp\nsjF660.tmp\inetc.dllll-2A23EA1FC420&_fcid=1708534066480873Setup was completed successfully.nstalled.
Source: Setup (1).exe, 00000000.00000003.2145258806.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0001tchingDeviceIdocessors00192s\user\Desktop\Setup (1).exe"{ "os_name": "Microsoft+Windows+10+Pro", "os_installdate": "20231003105718%2E000000%2B120", "os_processes": "106", "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE",
Source: fast!.exe, 00000011.00000003.2793150906.00000000008E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductPFZL634D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.Noney*
Source: explorer.exe, 0000001A.00000003.2979155488.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Setupuser.exe, 00000007.00000003.2780591249.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&version=2.334&evt_src=installer&evt_action=systeminfo&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft%20Windows%2010%20Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware,%20Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39%20SCSI%20Disk%20Device&disk_size=412300001200&sec_as=&sec_av=Windows%20Defender&sec_fw=&bios_releasedate=20221121000000.000000+000
Source: Setupuser.exe, 00000007.00000003.2780591249.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&version=2.334&evt_src=installer&evt_action=systeminfo&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft%20Windows%2010%20Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware,%20Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39%20SCSI%20Disk%20Device&disk_size=412300001200&sec_as=&sec_av=Windows%20Defender&sec_fw=&bios_releasedate=20221121000000.000000+000
Source: Setupuser.exe	Binary or memory string: ogicalproc=1&pc_vendor=VMware, Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_na
Source: Setup (1).exe, 00000000.00000003.2398837127.00000000005D3000.00000004.00000020.00020000.00000000.sdmp, Setup (1).exe, 00000000.00000002.2399632232.00000000005D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0rc%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000001A.00000003.2982915704.000000000C4FA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c
Source: Setupuser.exe, 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: &dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft Windows 10 Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware, Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39 SCSI Disk Device&disk_size=412300001200&sec_as=&sec_av=Windows Defender&sec_fw=&bios_releasedate=20221121000000.000000+000847336DeviceIdnw.exexetSKH.exe3r\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873222412\user\AppData\Local\FAST!\Temp\Setupuser.exe5446656OCount>
Source: explorer.exe, 0000001A.00000000.2902922002.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000001A.00000000.2896629295.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: Setup (1).exe, 00000000.00000003.2145692682.00000000005F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Zntel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5Y
Source: Setup (1).exe, 00000000.00000003.2145500090.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \{ "os_name": "Microsoft+Windows+10+Pro", "os_installdate": "20231003105718%2E000000%2B120", "os_processes": "106", "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", 03000200-0400-0500-0006-00070008000912345678-1234-5678-90AB-CDDEEFAABBCC
Source: Setup (1).exe, 00000000.00000003.2145150479.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]{ "os_name": "Microsoft+Windows+10+Pro", "os_installdate": "20231003105718%2E000000%2B120", "os_processes": "106", "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE",
Source: fast!.exe, 0000000E.00000003.2804840204.000000000453F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
Source: Setup (1).exe, 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: getsers\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll" /fcid 17085340664808732E3253214%25252E36%25252E32532 "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873el%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }C:\Users\user\AppData\Local\Temp\nsb9574.tmpll%28x64%29+-+14%2E36%2E32532", 0FF1CE}B14%25252E36%25252E32532""os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll-C19B-2A23EA1FC420&_fcid=1708534066480873Setup was completed successfully.nstalled.
Source: Setupuser.exe, 00000007.00000003.2780591249.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2399728046.000000000075B000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2783609286.0000000000757000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2399491267.000000000075A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: explorer.exe, 0000001A.00000000.2896629295.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://veryfast.io/register.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&ch=&version=2.334&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft%20Windows%2010%20Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_architecture=64-bit&os_virtmem=8387636&os_mem=4193332&cpu_name=Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz&cpu_maxclock=2000&cpu_cores=4&cpu_logicalproc=1&pc_vendor=VMware,%20Inc.&pc_version=None&gpu_name=4MKF1R5YE&gpu_ram=0&gpu_bitsperpixel=32&gpu_x=1280&gpu_y=1024&disk_name=XNWT3Z39%20SCSI%20Disk%20Device&disk_size=412300001200&sec_as=&sec_av=Windows%20Defender&sec_fw=&bios_releasedate=20221121000000.000000+000
Source: explorer.exe, 0000001A.00000003.2982485901.000000000C577000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@.
Source: explorer.exe, 0000001A.00000000.2896629295.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Setup (1).exe	API call chain: ExitProcess graph end node			graph_0-3454
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	API call chain: ExitProcess graph end node			graph_7-3508

Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_10-5497

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Code function: 27_2_00007FF7CA389AF0 rdtsc

27_2_00007FF7CA389AF0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_010015FE IsDebuggerPresent,OutputDebugStringW,

13_2_010015FE

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_00240150 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,

17_2_00240150

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01008275 GetProcessHeap,

13_2_01008275

Enables debug privileges

Source: C:\Program Files (x86)\Fast!\fast!.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	Code function: 10_2_0100D5FA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0100D5FA
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01004769 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_01004769
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01001B90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_01001B90
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01001FFB SetUnhandledExceptionFilter,	13_2_01001FFB
Source: C:\Program Files (x86)\Fast!\FastSRV.exe	Code function: 13_2_01001E96 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_01001E96
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_0027262D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0027262D
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00272E74 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00272E74
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00273007 SetUnhandledExceptionFilter,	17_2_00273007
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: 17_2_00277353 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00277353
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA4C5BCC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FF7CA4C5BCC
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Code function: 27_2_00007FF7CA499548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF7CA499548

HIPS / PFW / Operating System Protection Evasion

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumProcesses,GetTickCount64,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetModuleHandleW,GetProcAddress,OpenProcess,CloseHandle, svchost.exe		17_2_0024B970
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumProcesses,GetTickCount64,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetModuleHandleW,GetProcAddress,OpenProcess,CloseHandle, explorer.exe		17_2_0024B970

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp	Jump to behavior
Source: C:\Program Files (x86)\Fast!\fast!.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\.
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ffda39aa970,0x7ffda39aa980,0x7ffda39aa990
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2396 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2500 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1708532403761554 --launch-time-ticks=6663733321 --mojo-platform-channel-handle=2864 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:1
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3364 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3944 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3848 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Process created: C:\Program Files (x86)\Fast!\nwjs\nw.exe "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4236 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: explorer.exe, 0000001A.00000000.2899344405.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001A.00000000.2896629295.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: fast!.exe, 0000000E.00000000.2769320005.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: $windows explorernwjspowershellvolume mixersetupfast!application frame hostsystem traytask managerfolderviewwindows shellprogram managerwindows host processdefenderControl PanelFile Explorer
Source: fast!.exe	Binary or memory string: program manager

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Fast!\FastSRV.exe

Code function: 13_2_01001CB2 cpuid

13_2_01001CB2

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumSystemLocalesW,	17_2_00288E2C
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	17_2_0028F058
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumSystemLocalesW,	17_2_0028F304
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumSystemLocalesW,	17_2_0028F34F
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: EnumSystemLocalesW,	17_2_0028F3EA
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoW,	17_2_002893EF
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0028F475
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoW,	17_2_0028F6C8
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0028F7F1
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoW,	17_2_0028F8F7
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetLocaleInfoEx,	17_2_00271924
Source: C:\Program Files (x86)\Fast!\fast!.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0028F9CD

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\images\fast.png VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\reports\4cda8e6d-356a-46e0-b308-2f858ac12c58.dmp VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\reports\4cda8e6d-356a-46e0-b308-2f858ac12c58.dmp VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\reports\4cda8e6d-356a-46e0-b308-2f858ac12c58.dmp VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\SCT Auditing Pending Reports VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\js\ui.bin VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation
Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe	Queries volume information: C:\Program Files (x86)\Fast!\ui\package.json VolumeInformation

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_00251E10 WaitForSingleObject,OpenEventW,PulseEvent,CreateEventW,GetTickCount64,GetTickCount64,GetTickCount64,GetTickCount64,CreateNamedPipeW,Sleep,Sleep,ShellExecuteW,Sleep,__Mtx_unlock,__Mtx_destroy_in_situ,FreeLibrary,std::_Throw_Cpp_error,std::_Throw_Cpp_error,

17_2_00251E10

Source: C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Code function: 10_2_0100D498 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

10_2_0100D498

Source: C:\Program Files (x86)\Fast!\fast!.exe

Code function: 17_2_0028A22B GetTimeZoneInformation,

17_2_0028A22B

Source: C:\Users\user\Desktop\Setup (1).exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Fast!\nwjs\nw.exe

File opened: C:\Users\user\AppData\Local\FAST!\User Data\Default\History

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	3 Native API	1 Valid Accounts	1 Valid Accounts	2 Obfuscated Files or Information	11 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	3 Windows Service	11 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	11 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	3 Windows Service	12 Masquerading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	23 Process Injection	1 Valid Accounts	LSA Secrets	189 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	24 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Access Token Manipulation	DCSync	471 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	23 Process Injection	Proc Filesystem	24 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	2 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Program Files (x86)\Fast!\FastSRV.exe	58%	ReversingLabs	Win32.Adware.RedCap
C:\Program Files (x86)\Fast!\fast!.exe	46%	ReversingLabs	Win32.Adware.RedCap
C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\ffmpeg.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\libEGL.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\node.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\nw.dll	3%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\nw.exe	3%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\nw_elf.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\nwjs\vulkan-1.dll	0%	ReversingLabs
C:\Program Files (x86)\Fast!\uninstaller.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb9574.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb9574.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF660.tmp\SimpleSC.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF660.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF660.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF660.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://anglebug.com/4633	0%	URL Reputation	safe
https://anglebug.com/7382	0%	URL Reputation	safe
http://anglebug.com/6929	0%	URL Reputation	safe
https://anglebug.com/7246	0%	URL Reputation	safe
https://anglebug.com/7369	0%	URL Reputation	safe
https://anglebug.com/7489	0%	URL Reputation	safe
http://anglebug.com/4722	0%	URL Reputation	safe
https://outlook.come	0%	URL Reputation	safe
http://anglebug.com/3502	0%	URL Reputation	safe
http://anglebug.com/3623	0%	URL Reputation	safe
http://anglebug.com/3625	0%	URL Reputation	safe
http://anglebug.com/3624	0%	URL Reputation	safe
http://anglebug.com/3862	0%	URL Reputation	safe
http://anglebug.com/4836	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://anglebug.com/3970	0%	URL Reputation	safe
http://anglebug.com/5901	0%	URL Reputation	safe
http://anglebug.com/3965	0%	URL Reputation	safe
https://anglebug.com/7161	0%	URL Reputation	safe
https://anglebug.com/7162	0%	URL Reputation	safe
http://anglebug.com/5906	0%	URL Reputation	safe
http://anglebug.com/2517	0%	URL Reputation	safe
http://anglebug.com/4937	0%	URL Reputation	safe
http://anglebug.com/3584I	0%	Avira URL Cloud	safe
http://anglebug.com/3584p	0%	Avira URL Cloud	safe
http://anglebug.com/3586;	0%	Avira URL Cloud	safe
http://anglebug.com/5906anced	0%	Avira URL Cloud	safe
https://anglebug.com/7369%	0%	Avira URL Cloud	safe
http://anglebug.com/5535mb	0%	Avira URL Cloud	safe
http://anglebug.com/4551a	0%	Avira URL Cloud	safe
http://anglebug.com/8297d	0%	Avira URL Cloud	safe
https://anglebug.com/7162e_etc	0%	Avira URL Cloud	safe
http://anglebug.com/5881(	0%	Avira URL Cloud	safe
http://anglebug.com/5906mO	0%	Avira URL Cloud	safe
https://anglebug.com/7369o	0%	Avira URL Cloud	safe
http://anglebug.com/8297=bC	0%	Avira URL Cloud	safe
http://anglebug.com/8280eak	0%	Avira URL Cloud	safe
https://anglebug.com/5845mat	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#sec-timeclip	0%	Avira URL Cloud	safe
https://heycam.github.io/webidl/#es-interfaces	0%	Avira URL Cloud	safe
https://heycam.github.io/webidl/#dfn-iterator-prototype-object	0%	Avira URL Cloud	safe
https://heycam.github.io/webidl/#es-iterable-entries	0%	Avira URL Cloud	safe
http://anglebug.com/8297	0%	Avira URL Cloud	safe
https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://anglebug.com/5535mb	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3584I	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/umdjs/umd/blob/d31bb6ee7098715e019f52bdfe27b3e4bfd2b97e/templates/jqueryPlugin.js	nw.exe, 00000019.00000003.2937862084.000039800054C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864143662.000002316EF19000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7382	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en-GB1	nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/35941	nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	nw.exe, 00000012.00000000.2805895132.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000013.00000000.2815469653.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000014.00000000.2823375777.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000015.00000000.2847572150.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000016.00000000.2856410253.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp, nw.exe, 00000019.00000000.2874336337.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmp	false		high
https://veryfast.io/register.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873&ch	Setupuser.exe, 00000007.00000002.2783609286.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000003.2780591249.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Setupuser.exe, 00000007.00000002.2785435348.0000000002F52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://veryfast.io/pixel.gif?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&version=2.334&evt_src=produc	nw.exe, 00000019.00000003.3061744110.0000534900682000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3042520302.000001C4AEDCD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900382000.00000004.00001000.00020000.00000000.sdmp	false		high
https://encoding.spec.whatwg.org/#textencoder	nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goo.gl/t5IS6M).	nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/3584p	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/7369%	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://accounts.google.com/embedded/setup/kidsignin/chromeos	nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850389338.000002316E50D000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864266456.000002316E506000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3586;	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://url.spec.whatwg.org/#concept-urlencoded-serializer	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://accounts.google.com/embedded/setup/kidsignup/chromeos	nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F	nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodejs.org/api/fs.html	nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/21313	nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7162e_etc	nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/7369	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7489	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.midnight-commander.org/browser/lib/tty/key.c	nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.squid-cache.org/Doc/config/half_closed_clients/	nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tc39.es/ecma262/#sec-timeclip	nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://veryfast.io/inst_excl.php?guid=	Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://veryfast.io/keys/4D802742-3099-9C0E-C19B-2A23EA1FC420.license	nw.exe, 00000019.00000003.3137423278.0000534900682000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/48477#issuecomment-1604586650	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	false		high
https://code.google.com/p/chromium/issues/detail?id=25916	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D.lineCap	nw.exe, 00000019.00000003.2937935276.000039800055C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937575238.0000398000540000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937524440.000039800053C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932769401.0000398000538000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2932602190.0000398000534000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937995621.000039800057C000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2937893520.000039800056C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/8297d	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/4722	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/5906anced	nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.come	explorer.exe, 0000001A.00000000.2910882616.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2983282897.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.3076180728.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2985772392.000000000C071000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/4551a	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/5906mO	nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	nw.exe, 00000019.00000003.3057523030.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEDBD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repcdn.veryfast.io/download/2.334/Setupuser.exe	Setup (1).exe, 00000000.00000002.2400896805.0000000002F50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/12607	nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.	nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt	nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/5881(	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://accounts.google.com/embedded/xreauth/chromeF_	nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp	false		high
https://accounts.google.com/signin/chrome/sync?ssp=1	nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3623	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://veryfast.io/download.php?user=1&guid=	Setup (1).exe, 00000000.00000002.2399493788.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://veryfast.io/	fast!.exe, fast!.exe, 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000011.00000000.2775685966.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000002.2891621859.000000000029C000.00000002.00000001.01000000.00000014.sdmp, fast!.exe, 00000018.00000000.2871457721.000000000029C000.00000002.00000001.01000000.00000014.sdmp, nw.exe, 00000019.00000003.3044127165.0000398000664000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3043484535.0000398000664000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://accounts.google.com/chrome/blank.html	nw.exe, 00000012.00000003.2872116857.000002316E483000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2850487388.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2864352039.000002316E478000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en-GB	nw.exe, 00000012.00000003.2854512728.000002316F4E4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7369o	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/8280eak	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/4836	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://issuetracker.google.com/issues/166475273	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 0000001A.00000000.2900973229.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.2897497933.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.2900950643.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://heycam.github.io/webidl/#es-iterable-entries	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://heycam.github.io/webidl/#es-interfaces	nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nodejs/node/issues	nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2890905104.000001C42DCB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.2890672365.000001C42DCB0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/8297=bC	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anglebug.com/5845mat	nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	nw.exe, 00000019.00000003.3057523030.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3053607155.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3054544218.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3060970751.000001C4AEC0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#urlsearchparams	nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	nw.exe, 00000019.00000003.3124885117.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3047534576.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349006C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.00005349006C2000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://issuetracker.google.com/284462263X	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc9110#section-5.2	nw.exe, 00000019.00000003.3058542689.0000534900602000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3052983007.0000534900342000.00000004.00001000.00020000.00000000.sdmp	false		high
https://streams.spec.whatwg.org/#example-manual-write-with-backpressure	nw.exe, 00000019.00000003.3052760831.0000534900542000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/pull/30380#issuecomment-552948364	nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	false		high
https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB	nw.exe, 00000012.00000003.2850944838.000002316E3F2000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2856228361.000002316E3EE000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3056032295.000001C42DBCF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval	nw.exe, 00000019.00000003.3047534576.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900702000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900702000.00000004.00001000.00020000.00000000.sdmp	false		high
https://heycam.github.io/webidl/#dfn-iterator-prototype-object	nw.exe, 00000019.00000003.3180146505.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3058542689.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.00005349007C2000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.00005349007C2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0radnlcoJ	nw.exe, 00000019.00000003.3030093002.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3067152469.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3066068694.000001C42D9E6000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3024117196.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3036345374.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3021575713.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3067998583.000001C42D9E5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/8297	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nodejs/node/pull/38614)	nw.exe, 00000019.00000003.3052983007.0000534900402000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/5901	nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3965	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7161	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/nodejs/node/pull/32887	nw.exe, 00000019.00000003.3047534576.0000534900582000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3055363877.0000534900B02000.00000004.00001000.00020000.00000000.sdmp	false		high
https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873j	Setupuser.exe, 00000007.00000002.2785435348.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anglebug.com/7162	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nodejs.org/download/release/v20.7.0/win-x64/node.lib	nw.exe, 00000019.00000003.3052983007.0000534900442000.00000004.00001000.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/292285899	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object	nw.exe, 00000019.00000003.3052983007.00005349003C2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nodejs/node/issues/19009	nw.exe, 00000019.00000003.3058542689.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3175586349.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3177799024.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3180146505.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3124885117.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3137423278.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3142085516.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3131950419.0000534900802000.00000004.00001000.00020000.00000000.sdmp, nw.exe, 00000019.00000003.3183730297.0000534900802000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.000002228112C000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848925464.000002228113F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/2517	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/4937	nw.exe, 00000012.00000003.2862383131.000002316EF26000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2854704794.000002316EF05000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000012.00000003.2860536234.000002316EEB5000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2848191857.0000022281160000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811CF000.00000004.00000020.00020000.00000000.sdmp, nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 0000001A.00000000.2899691415.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/166809097	nw.exe, 00000014.00000003.2851230387.00000222811B4000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.253.63.84	unknown	United States	15169	GOOGLEUS	false
142.251.40.228	unknown	United States	15169	GOOGLEUS	false
156.146.36.24	unknown	United States	60068	CDN77GB	false
142.250.80.67	unknown	United States	15169	GOOGLEUS	false
69.192.108.161	unknown	United States	16625	AKAMAI-ASUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.80.3	unknown	United States	15169	GOOGLEUS	false
157.240.241.1	unknown	United States	32934	FACEBOOKUS	false
161.35.127.181	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.65.234	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.80.99	unknown	United States	15169	GOOGLEUS	false
142.250.80.78	unknown	United States	15169	GOOGLEUS	false
142.250.81.234	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
89.187.177.16	unknown	Czech Republic	60068	CDN77GB	false
142.251.41.4	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
192.168.2.7
192.168.2.9
192.168.2.4
192.168.2.6
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1396397
Start date and time:	2024-02-21 19:09:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup (1).exe
Detection:	MAL
Classification:	mal42.spyw.evad.winEXE@58/352@0/25
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 69% Number of executed functions: 139 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: Setup (1).exe

Simulations

Behavior and APIs

Time	Type	Description
19:11:34	API Interceptor	3423984x Sleep call for process: fast!.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
69.192.108.161	MDE_File_Sample_765abf7850be761b408c4c4f880e0db29364dba6.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Glupteba, Vidar	Browse
	RdHeDCQH65.exe	Get hash	malicious	Amadey, Mystic Stealer, RedLine, SmokeLoader	Browse
	QczrmP9PoP.exe	Get hash	malicious	Amadey, Mystic Stealer, RedLine, SmokeLoader	Browse
	8FmcUr4p8k.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	pTtusy15oR.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	dRDzfq14qX.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	F9eP10wDdq.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	jmkCtwPTlr.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	teamviewer_Px-yDq1.exe	Get hash	malicious	Unknown	Browse
162.159.61.3	SecuriteInfo.com.Win32.TrojanX-gen.12059.13339.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.28416.7533.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.10044.64.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	GHQ076500kh.exe	Get hash	malicious	Remcos	Browse
	lmiXXjKzpz.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	I2jCDr35mu.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.137.30573.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.17920.19764.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
161.35.127.181	Setup (1).exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
	https://veryfast.io/downloading.html	Get hash	malicious	Unknown	Browse
172.64.41.3	SecuriteInfo.com.Win32.TrojanX-gen.12059.13339.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.28416.7533.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.32025.7334.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.10044.64.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	https://stackauth-bainlk.cz/save/sharefile/	Get hash	malicious	Unknown	Browse
	lmiXXjKzpz.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	I2jCDr35mu.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.137.30573.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
156.146.36.24	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse
	http://ctaa.net	Get hash	malicious	Unknown	Browse
	http://meetidgo.com	Get hash	malicious	Unknown	Browse
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//r20.rs6.net/tn.jsp?f=001vFHMoPyMo0WrLNfpX5KrbtnufSjk2FOwtHR22KMN3Rk2jm9egqQ-LneL9hrc8v-KzCiuxG7Tg8qxaN0rQ7VfREnaa5XzjjgpddfwOaxHG28Xxu5OEqHhkN4TqD27DJaibctIlhoejDGVQsZ4d5oq1Q==&c=&ch==&__=//759828888653463565484/chsrnpivkmkksyytiebvnhngtvnqkkhoqtbxbaaaqeizaejifxfngmzuxvdujlzlyukilvudxlhbwpprdaaocvlxvluzxqnsohchzvoqngefhnnekodztbnutzabomeymcnbtujvwelkwzqdyehadbvnkakmelazyjnblkhlnobznxktzvnedkwbjcgkayajnjwafporsuuez/xeyrddxvmdvwsnebdgoc/YWRhbS5zY2hpbGRnZUBkb3QuZ292	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CDN77GB	http://boomba.club	Get hash	malicious	Unknown	Browse	156.146.36.23
	speke.msi	Get hash	malicious	Unknown	Browse	156.146.36.23
	https://file.io/DEhOHv7umoCj	Get hash	malicious	Unknown	Browse	185.93.1.250
	https://cloud.mail.ru/stock/hG498Pfe7uJ1fEVeN7iTtbHo	Get hash	malicious	HTMLPhisher	Browse	195.181.164.14
	arm7.elf	Get hash	malicious	Mirai	Browse	156.146.54.88
	https://home-online-15c8.tenakiw192.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	89.187.171.26
	https://vusx-xqx6j.ondigitalocean.app/hrk0x00786xWnx009xhrkrrk00x/index.php?phone=+1-844-509-4222	Get hash	malicious	TechSupportScam	Browse	185.152.66.243
	Macquarie.apk	Get hash	malicious	Unknown	Browse	185.102.217.65
	http://maxcdn.bootstrapcdn.cloud	Get hash	malicious	Unknown	Browse	185.152.66.243
	http://xml-v4.trustflayer1.online	Get hash	malicious	Unknown	Browse	185.152.66.243
CLOUDFLARENETUS	https://sway.cloud.microsoft/qftK1DjDwufaS50W?ref=Link	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	172.67.138.224
	https://www.joesandbox.com/#windows	Get hash	malicious	Unknown	Browse	172.67.7.107
	https://teamcallview.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://allo.io/s/EGyunwQfmsp7nqtHG0QKXRlwyRawmXy37OQMiyvGnKhyGWuRCYR3cCgUtDMBEvEw	Get hash	malicious	Unknown	Browse	104.16.126.175
	https://na3.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAA6VYJuh-Vl-6LaRgvv4E_rUNpgW92igmRbwjR3qOrdI0ugBjOI6DGEsQ_cXed0YiPGrnqBWG-ZJgwKx8sFhMJr_29pXMwa0oxIAbIVVT7mGyiXgYME8smNO4Yi8sMPdmE&	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//companytst%E3%80%82com/#nuhFZ2FycmV0dC5ib2F0bWFuQHJhdmVpcy5jb20=??kypxg44fhlrkaixdobr=Z2FycmV0dC5ib2F0bWFuQHJhdmVpcy5jb20=/..=J3I8Or&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	SecuriteInfo.com.Win32.TrojanX-gen.12059.13339.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	172.64.41.3
	https://telegra.ph/Mainegov-02-21	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	Secured_Docs_Shared_Online (12.4 KB).msg	Get hash	malicious	ReCaptcha Phish	Browse	104.17.25.14
	https://geteasypdf.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
DIGITALOCEAN-ASNUS	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly93d3cuaXRidXNpbmVzc3BsdXMuY29tL3Vuc3Vic2NyaWJlLw%3d%3d&r=14487571917&d=12037165&p=1&t=h&h=9f1eb68762ba4f0cfec0c474b33c342d	Get hash	malicious	Unknown	Browse	104.248.15.35
	PO #1131011152-2024-Order,pdf.exe	Get hash	malicious	AgentTesla	Browse	128.199.104.93
	#U00d6deme Onay#U0131 Kopyas#U0131.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	SecuriteInfo.com.Win64.ExploitX-gen.17969.12173.exe	Get hash	malicious	AgentTesla	Browse	128.199.104.93
	U3jqFwE41l.elf	Get hash	malicious	Mirai	Browse	157.245.54.103
	mfyPnr7Rxa.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	139.59.13.4
	https://cpa-ftk.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	134.122.57.34
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	138.197.213.185
	HDTFFrAXui.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	159.89.39.180
	Scan 20.02.24.pdf.exe	Get hash	malicious	AgentTesla	Browse	68.183.17.152
CLOUDFLARENETUS	https://sway.cloud.microsoft/qftK1DjDwufaS50W?ref=Link	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	172.67.138.224
	https://www.joesandbox.com/#windows	Get hash	malicious	Unknown	Browse	172.67.7.107
	https://teamcallview.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://allo.io/s/EGyunwQfmsp7nqtHG0QKXRlwyRawmXy37OQMiyvGnKhyGWuRCYR3cCgUtDMBEvEw	Get hash	malicious	Unknown	Browse	104.16.126.175
	https://na3.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAA6VYJuh-Vl-6LaRgvv4E_rUNpgW92igmRbwjR3qOrdI0ugBjOI6DGEsQ_cXed0YiPGrnqBWG-ZJgwKx8sFhMJr_29pXMwa0oxIAbIVVT7mGyiXgYME8smNO4Yi8sMPdmE&	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//companytst%E3%80%82com/#nuhFZ2FycmV0dC5ib2F0bWFuQHJhdmVpcy5jb20=??kypxg44fhlrkaixdobr=Z2FycmV0dC5ib2F0bWFuQHJhdmVpcy5jb20=/..=J3I8Or&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	SecuriteInfo.com.Win32.TrojanX-gen.12059.13339.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	172.64.41.3
	https://telegra.ph/Mainegov-02-21	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	Secured_Docs_Shared_Online (12.4 KB).msg	Get hash	malicious	ReCaptcha Phish	Browse	104.17.25.14
	https://geteasypdf.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
AKAMAI-ASUS	https://na3.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAA6VYJuh-Vl-6LaRgvv4E_rUNpgW92igmRbwjR3qOrdI0ugBjOI6DGEsQ_cXed0YiPGrnqBWG-ZJgwKx8sFhMJr_29pXMwa0oxIAbIVVT7mGyiXgYME8smNO4Yi8sMPdmE&	Get hash	malicious	Unknown	Browse	23.57.90.71
	OCpq0UdzzX.elf	Get hash	malicious	Mirai	Browse	104.106.183.18
	6IFFuTI261.elf	Get hash	malicious	Mirai	Browse	96.7.202.142
	b3astmode.arm.elf	Get hash	malicious	Mirai	Browse	104.90.135.174
	https://o365aqzkadahajmsditmwjlo-987555.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	23.40.179.187
	SecuriteInfo.com.TScope.Malware-Cryptor.SB.26060.13321.exe	Get hash	malicious	RisePro Stealer	Browse	23.199.65.201
	SecuriteInfo.com.Win32.TrojanX-gen.32025.7334.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	23.199.65.193
	SecuriteInfo.com.Win32.TrojanX-gen.10044.64.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	23.199.65.193
	https://stackauth-bainlk.cz/save/sharefile/	Get hash	malicious	Unknown	Browse	23.49.251.27
	lmiXXjKzpz.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	23.199.65.201

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll	webex.exe	Get hash	malicious	Unknown	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
	Uniapt Setup.exe	Get hash	malicious	Unknown	Browse
	Planets Therapy Setup.exe	Get hash	malicious	Unknown	Browse
	Planets Therapy Setup.exe	Get hash	malicious	Unknown	Browse
	Sky Beta .exe	Get hash	malicious	Unknown	Browse
	teai_demo.exe	Get hash	malicious	Unknown	Browse
	Planets Therapy.exe	Get hash	malicious	Unknown	Browse
	Planets Therapy.exe	Get hash	malicious	Unknown	Browse
	oPUxYDe9mt.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Fast!\BigTestFile

Download File

Process:	C:\Program Files (x86)\Fast!\fast!.exe
File Type:	data
Category:	dropped
Size (bytes):	25600000
Entropy (8bit):	0.022346260236084957
Encrypted:	false
SSDEEP:	3:k/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/+/:
MD5:	44FB8F21B6795D6CF2F1F5A5484920DF
SHA1:	2E319197D4658E4DF3AAA447C02CDA27637A9AC4
SHA-256:	BAC18353056434C0E46E6AB842551AAD43A8DFE03C060167F3D02CBD46825046
SHA-512:	07A7C97F3D03AD1F418EE31F7D6A3F4D474FCDCF250387433B779A41F042783810276CDADF0542670049E13659A05544F60DED4982C89F0DF25B967423D61FEF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\FastSRV.exe

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98648
Entropy (8bit):	6.50629717708545
Encrypted:	false
SSDEEP:	3072:ifzhRR+glf+8kxh174xM/bU33zNxFxSLkujKXSBk:iLQOf+bexMbjKXp
MD5:	CD46510547991D8DC8ED3BA175985E4D
SHA1:	3AA88C36B62EE64E1ED36F2F87D28503321F42B9
SHA-256:	2C517200BB51BB6BA777676BC2588166A0717670A7E81655941E97F76609C7CA
SHA-512:	BBED5E6CF0F9017750410578E8A7A284E775572F8D9D3A551C7EF02AA997B8C2586447974283D473077EEE59206A21EAE28035FC095D017308FB14492CF3E5C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a..............x.......x.......x...............................x........................l.............Rich............................PE..L...1..e...............%..........................@.......................................@.................................d>..x....p...............X..X)..........p1..p....................2.......0..@...............p............................text...:........................... ..`.rdata...g.......h..................@..@.data........P.......<..............@....rsrc........p.......F..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\fast!.exe

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	672088
Entropy (8bit):	6.585396908046599
Encrypted:	false
SSDEEP:	12288:k4V8FQaGoCKLpHEr+yvDRt1nBVpf70tYDPm71YuMzrPcTg3GLxhcHBwAH:k4V8Y+KBnDpD0tYDPC1YZrl8xhkdH
MD5:	CF118C6E3FAF9E10A566B4155AB5F2EF
SHA1:	E4738F316BAF2D4EBA280AAB462FCCADA193311F
SHA-256:	35BD72E4B802470FA5230E1F747941CA276CDF2BAEEB0AB6068CB081335A661A
SHA-512:	97FF1F0B083B96B6FC9BFFFCBAF5F22DD8C3B95A3B0840BFDD766D08DF7FDD5A708CE25D1E276F07B2DBE180A13D83F7B128A17AEE3DA954953CCBE269B46DAB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v2.[2S..2S..2S..y+..9S..y+...S..',.. S..',..)S..',..VS..y+..%S..y+..%S..2S...S.......S....6.3S..2S^.3S......3S..Rich2S..........PE..L...-..e...............%.....\|......k*............@..........................`.......r....@..................................0...........D..............X).......]......p...............................@...............\............................text.............................. ..`.rdata..............................@..@.data....Q...P...@...4..............@....rsrc....D.......F...t..............@..@.reloc...].......^..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\credits.html

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9285528
Entropy (8bit):	4.830539768724432
Encrypted:	false
SSDEEP:	24576:mDWFy1PJPMPJTV/ti5DSP12dvbV2W20v6vqKesb+uUPJNPJ6PJiPJzPJdWfsvDAT:mDWFQhCr/tipQcdp2z6IDesaDqG1lva
MD5:	C2F7BC99A1BBDAEEDC88DD2F1678C1D8
SHA1:	560222008DBB6C51DBA7E5F8284ECEBCDF8692BE
SHA-256:	DE1CE7A596D3C09D91F8F0F21CA835E25F981D0799C8B12CB470CE3AF1DCE65B
SHA-512:	A2808A0A6F4415E70C4F2F628B4E8B97D4461E03453A9C772E7B8B4F889DF8660768B3D71DBD1B26E6D41D11C2C6FB0A0E1A2F9E549012BD2942D7B22893BFAD
Malicious:	false
Preview:	Generated by licenses.py; do not edit. --><!doctype html>..<html>..<head>..<meta charset="utf-8">..<meta name="viewport" content="width=device-width">..<meta name="color-scheme" content="light dark">..<title>Credits</title>..<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">..<link rel="stylesheet" href="chrome://credits/credits.css">..</head>..<body>..<span class="page-title">Credits</span>..<a id="print-link" href="#" hidden>Print</a>..<div class="open-sourced">.. Chromium software is made available as source code.. <a href="https://source.chromium.org/chromium">here</a>...</div>....<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->..<div class="product">..<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>..<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>..<input type="checkbox" hidden id="0">..<label class="show" for="0"

C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4916712
Entropy (8bit):	6.398049523846958
Encrypted:	false
SSDEEP:	49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
MD5:	2191E768CC2E19009DAD20DC999135A3
SHA1:	F49A46BA0E954E657AAED1C9019A53D194272B6A
SHA-256:	7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
SHA-512:	5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: webex.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse Filename: Uniapt Setup.exe, Detection: malicious, Browse Filename: Planets Therapy Setup.exe, Detection: malicious, Browse Filename: Planets Therapy Setup.exe, Detection: malicious, Browse Filename: Sky Beta .exe, Detection: malicious, Browse Filename: teai_demo.exe, Detection: malicious, Browse Filename: Planets Therapy.exe, Detection: malicious, Browse Filename: Planets Therapy.exe, Detection: malicious, Browse Filename: oPUxYDe9mt.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\ffmpeg.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2046976
Entropy (8bit):	6.649283135735361
Encrypted:	false
SSDEEP:	24576:AWAYwK157qsw8g5DitUKT6mPgPswvD9Q++AViqp6JoIpBHHM9wkk:3Ay15Wiuitp6mPs9T+AVizJochHMM
MD5:	05A1F9113FEEB06EBDB0AF5C94C37879
SHA1:	0647A8FF8852F9735BF3F3B2009FD46FB235F5AE
SHA-256:	A49240F9B626D8EF02713EFC9624408F1FA0399775B68FB3F2EF1DB69FB8AB78
SHA-512:	B9F6A319378345720F55A1620114312558BE2DA0F53C008F0BF984CFDC094EB810470A31248852DF0B0AB07CCE7CE083EFAE1BCD5E015DBC4248DF86137B3B2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." .........@...............................................00...........`A........................................`.......v...(...../.0........}............/..2......8.......................(... ...8...............`............................text...}........................... ..`.rdata...1.......2..................@..@.data........P..."...*..............@....pdata...}.......~...L..............@..@.00cfg..0....`/.....................@..@.gxfg....,...p/.....................@..@.retplne....../..........................tls........../.....................@....voltbl.8...../........................._RDATA......../.....................@..@.rsrc...0...../.....................@..@.reloc...2..../..4..................@..B........................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Program Files (x86)\Fast!\nwjs\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	455168
Entropy (8bit):	6.325643014425336
Encrypted:	false
SSDEEP:	6144:vE4vggB77XnAFJOiVghQNu0Q/2fNClzCdrJEQa+1:c4ogxnAFJOkghQNrClGrJED
MD5:	FAA27BF7062F3D7514386A5FA4ACB81E
SHA1:	6CE3A638D81B1FC824B2D21C4725B08C72428E73
SHA-256:	1388FB48FA0FB258BB1AAA5597AA2B867144DCEB099DAB3B43101787BB483C2F
SHA-512:	804B7A9A6E0EC4F927CF4AE891F1B78742C5E4E0F463B286AD22C0C37FD7D980CD7EDA3D159A657E5BFCA9344074399560AEC87D7CD580BD29CE864D0DDEE38C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." .........".......7....................................................`A........................................`...h.......(.......x.......TB..............4.......8...................p...(....%..8............... ............................text..."........................... ..`.rdata...\|.......~..................@..@.data....O...`... ...H..............@....pdata..TB.......D...h..............@..@.00cfg..0...........................@..@.gxfg...`%.......&..................@..@.retplne.....@...........................tls....!....P......................@....voltbl.8....`.........................._RDATA.......p......................@..@malloc_h0........................... ..`.rsrc...x...........................@..@.reloc..4...........................@..B................................................................................................

C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6875136
Entropy (8bit):	6.458952708031866
Encrypted:	false
SSDEEP:	49152:FfoLgaKqO6rk/8KR41Xft+AlHH4Jv3l+7gFOsTvZTGT4ltgh/sKDEtVFFTK2/get:6BXFTlnKkuQ4WAiwwHurw3XF
MD5:	B8F6D5DA6F220F8D39D2C0413BF50C7B
SHA1:	18ED7A44DDAB24E81B78142B3B676C8E02F33055
SHA-256:	51E4108E0C3607BB52DD64F3109559A40DCEDFC8BDE4BAFF84EA5F214E97856A
SHA-512:	9459088B776D32101734FF46D49604E12976B18BED832005873AEC360AEF2A9B03F27B79114EED769D32733B48617480D4F289A8EB73657BCF752755CD0FBE33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." ......L...........I.......................................j...........`A........................................}._.....+.`.d.....i.......e...............i.<...tr_.8...................Hq_.(...@t^.8...........H.`......._.@....................text.....L.......L................. ..`.rdata.......L.......L.............@..@.data.........a......ra.............@....pdata........e.......e.............@..@.00cfg..0....ph.......g.............@..@.gxfg....,....h.......g.............@..@.retplne......h.......g..................tls....Q.....h.......g.............@....voltbl.D.....h.......g................._RDATA........h.......g.............@..@malloc_h0.....h.......g............. ..`.rsrc.........i.......g.............@..@.reloc..<.....i.......g.............@..B................................................................................................

C:\Program Files (x86)\Fast!\nwjs\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	478847
Entropy (8bit):	5.411085530754943
Encrypted:	false
SSDEEP:	12288:jMe7qtho+VTrASMKVkP+S2Z12JynubrmIZ+8FQgB2CSI2Ts37UzO25g/tz6XiDiN:D7qthoMTcSMaO+S2Z12JynubrmIZ+8Fs
MD5:	FFB5C6F2DD2A21D555DC6E9F57CE8A62
SHA1:	D2D7EA11DD49B6E0210FB96509852431D4056624
SHA-256:	1FC2D1624F4ABF0379E1825B47A3F1B901FDF2FC95485E74581C75A65F2AD3D5
SHA-512:	D74FC561B4221D0CA168463C955865ED004A5763E355D44E800854DB4845850C607E0E1020D6E215D349E18A1B56A3C2B53538DC86CC54D67DE10F47959E2A6A
Malicious:	false
Preview:	.........$..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.-...\|.3...}.E.....M.....R.....Z.....b.....j.....q.....x.....................................................I.......................}...................................8.....M.................H.....a.................).....7...............................................$.......................<......................<.................&.....5.................D.....Z...........B.......................7.....T.....e.......................).....r.......................9......................./.............................].......................&.....M.....V.......................!.................P.....g......................B.......................%.............................x.................@.............................n.......................n...................................`.....t...........M.......................r.......................I.....m.....{...........).....T.

C:\Program Files (x86)\Fast!\nwjs\locales\af.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	776023
Entropy (8bit):	4.912989601907357
Encrypted:	false
SSDEEP:	12288:ij72EQ/cuFzYzxpTEzH3dj262NzTh5j96gVr5OxPF3x30jH8+F:AhQ/fYzxezHNj262NzTh5j96gVr5OxPM
MD5:	ECEB40BA11424F46F2A80DEC00750820
SHA1:	053992E95D2AC8304513252A3DA369925CAF95E5
SHA-256:	8C6606B346A44EF8AD24602B8086831E0DDED9D16B51B3FC72837A98648150E6
SHA-512:	3B720AD44BC040F35D1EAF98751C23EB18D3326B051A95836B6556B8E2BDD3F99D40FB3B21DD8655F2B238511A33C5E83A57EFD2039CFFFCFA6B2CCD6369ADFD
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s....t.3...v.H...w.U...y.[...z.j...\|.p...}.....................................................................................$.....C.............................i.....!.......................].......................w.............................P.....c...........\.................Z...........+.....[.....>...........P.........................................P.................u...........f...........`.......................N.......................n.................).................6.....I.......................3...........c.................f...........E.....[...........s.................`................:.......................<.........../.....i...................................}...........7 ....P .....!.....!.....!....9".....".....#....T#....v#.....$.....$.....$.....$.....%....5&.....&.....&.....'....T(.....(.....(.....)....m..........+.....+.....,.....,.....-....t-.....-.....-................d/...../

C:\Program Files (x86)\Fast!\nwjs\locales\am.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ar-XB.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	782112
Entropy (8bit):	4.928681356185768
Encrypted:	false
SSDEEP:	6144:JMkZzLmzDtdSSuMQUyniepgRwgPc51CyHjT5fuf7b6bR:JUbDpm5fua
MD5:	4B92310FD43DFB026D329D2C2A5748B6
SHA1:	58C462A55B1087DECB23D3ACD63664D6CDC968EF
SHA-256:	6727C5946AFF5220BC341D105A3BCCDE4EAA8DADB9DED3AE38578AD5B7C1B9D1
SHA-512:	6FB9A7BAA5BC26704A4BDDB5E4AE3FFC5F019F9DFD2064AEC0F68E1DAB3B57187E5A94F9111C09FC5CD382A2A894C5004634500A407F27BC96D1D3925B00BABB
Malicious:	false
Preview:	........c%..e.....h.....i.....j.....k.'...l.2...n.:...o.?...p.L...q.R...r.^...s.o...t.x...v.....w.....y.....z.....\|.....}.........................................................................!.....<.....X.....u.....K.......................b...........^.....z.....A...........k...........@...........8....._...........t.................f...........6.....O...........}.......................\.......................".....}.........../................./..........._.......................U.................t.................5...........2.....u........................................./.................L...........@.....X.........................................r........... .................#.......................3...........>.................E............ ....@ ..... ....m!.....!.....!.....".....#....m#.....#....2$.....$.....$.....$.....%....(&....\|&.....&....]'.....'....M(....}(....a)....8..........*.....+....G,.....,.....,.....-..........k............/...../...../...../.....0....;1.....1

C:\Program Files (x86)\Fast!\nwjs\locales\ar-XB.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	854092
Entropy (8bit):	4.92310545483486
Encrypted:	false
SSDEEP:	12288:FG31wB1tu/N/RL8u4NOIv2U3NwFkNN5xNNx+jGqhXpY:wFQyYt5r+W
MD5:	D09D02925D1A68D8AA2A8930CD0D3739
SHA1:	4A72D8A7CB99F2590F450CA1EC872AA829F7D9BF
SHA-256:	57DE76102D4BEA2EDC2042BD4C6E57EC9CD71C1A138D5547030B805A78BA2CB3
SHA-512:	6F9AF788E5230BBBD8616C6CC90AB7799BE4C1E649477E81250ABCEECF0EF77B22488A433A27F69EF6753BA162948890D0705834A4AC3ACD689F37797754D1C4
Malicious:	false
Preview:	........w$..e.(...h.,...i.7...j.C...k.R...l.]...n.e...o.j...p.w...q.}...r.....s.....t.....v.....w.....y.....z.....\|.....}...........................................%.....,...........3.....L.....i.............................Y.....}......................./...........................................................).....o.................y.................b...........F...........F...........X.....~.....].....-.................q...........e...........4...........o.................~...........]...........k.................\.............................%.....e...........5..........._.....}...........\|.................r...........\...................................a...........-.....B...........y.................{...........-.....S...........N...........- ..... ....$!....B!.....!....e"....."....."....j#.....#.....#.....$.....$....-%....r%.....%....#&.....&.....&.....&.....'.....(.....).....)....q.........O+.....+.....,.....,.....,.....,....Q-.....-.....-.....-..........U/...../...../....i0

C:\Program Files (x86)\Fast!\nwjs\locales\ar.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	883810
Entropy (8bit):	4.685141869398855
Encrypted:	false
SSDEEP:	24576:8rlCVOq0aAlYMdAs1axUlVbf/1A373ZB93aAK5kVDMb/Rumped2il5vJOueRJ3Qd:8rlCVOq0aAlYtUlVbf/1A373ZT3a1kVP
MD5:	7EF3FCC095170AD95BC91B99FF64E003
SHA1:	CD059C9CE38DE90855242BC0C0060CC96BBE7FB2
SHA-256:	E6D5A9607BD4E9F906B1A81FDD940AF69AF33B1F5402A277660473092950709E
SHA-512:	05320A66AB533626C108EAAC57FD43192DC99809040EE4808528CCEF3DC1803D6FACCE765E7787A5C02B18454D3348BCE0120C53BD56E2DFF9FCB2C6CE5B4A3C
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y."...z.1...\|.7...}.I.....Q.....V.....^.....f.....n.....u.....\|...................................................................................?...........................................................J...........u.................z...........R.....x.....d.........................................b.....L.............................@...................................=.....P.....).......................9.....x...........F...........).....Q...........v.......................3.................\...........0.....O...........b.................[.................=...........p ..... ..... .....!....."....q#.....#....M$.....$.....%....K%.....%....S&.....&.....&.....'....k(.....(.....(.....).....*....$+.....+....@,.....,.....-....5-.....-................,/.....0.....0..../1....d1....T2..../3.....3.....3.....4.....5....+6....u6....@7.....7....38....k8.....9.....9.....9.....:.....;.....;....\<

C:\Program Files (x86)\Fast!\nwjs\locales\bg.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1137123
Entropy (8bit):	4.299580400060432
Encrypted:	false
SSDEEP:	3072:vsgx+0TQQGyqtHFtIdK009fQ0/QB/LCLTSukkRBb6BiDSk51hwDlWA:UgU0TLALM/LYTSunBbl5ylp
MD5:	C7D249577D0BC3BBF809D9A564CEF77C
SHA1:	1B234DEB6712DCAA796F796533FB01D5A097555C
SHA-256:	8638CE39FD97E8ADAF332FFC49E4A0DE9CBEF4D4BC22B18F332799CD408E3C19
SHA-512:	9CB6511A3F6FADB5ECF6303F3704707B076AC30AFDE4906BA934958516DCC47EE2A0189801EAC5432B22F789CEFE65F032AC455E783AB1A5071405F54315CE11
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....{.................................................................Q.....{...........A.....}.....r.....I...........".....G.....A...........>.....6.......................\|.....?.......................?.............................I.................l...........R.....A.............................C.............................U.......................I...........f...........D.....w...................................@.....s...........v.....%....................... ..... ..... ....k!....."...._"....."....-#.....#.....$....<$.....$.....%.....%.....&....''....C(.....)....V)....P*.....+.....+.....+....y,.....-....D-....t-....B...........o/...../.....0....\1.....1....k2....%3.....3.....4....74.....5.....5....%6....]6....`7.....8.....8.....8....!:....u;....h<.....<.....=.....>....y?.....?.....@....}A.....A....(B.....B.....C..../D....^D....dE....8F

C:\Program Files (x86)\Fast!\nwjs\locales\bn.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	546766
Entropy (8bit):	5.396073089699102
Encrypted:	false
SSDEEP:	12288:4NlMvG4Tp7dcEpy/m3O5PAF4N3Mw2juwHzejm0t3lvq8E98URaIs3cmlLEYjCJk6:tVYDQ/ROb9ZMN7MZlg5P1XqM
MD5:	C422744DE25D9CE25623EAC83A9FBA46
SHA1:	6C58BA81E244D6C30A3D1AC86300F84DF11B548C
SHA-256:	2EA46B2A2245FBAAEA60309401F8E6BE455B58AABC90CFE99C24B519914F0E36
SHA-512:	997FF1DC5E30C86AAB94A1AE006435CD39877D7B5903FFF2D4C36E2DB5383A76158BBF0EB32B80ABD2FA40EC121A11B43D305B5F249799E77ADFE54504F40D7D
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y. ...z./...\|.5...}.G.....O.....T.....\.....d.....l.....s.....z.........................................................../.................)...................................d.................F.....~.................J.....}.................A.....t.................o.................d.................@.................T.....h...........".....Y.....m...........K.................G...........+.....Q.................2.....N.............................\|.......................\|.................+.......................'.....x.......................Q.......................4.......................T.................&.......................).......................L.......................j.................P.......................-.........................................,.....H...........m.................z...........&.....P.................R.....r.................3.....F.................^.....z.

C:\Program Files (x86)\Fast!\nwjs\locales\ca.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	555080
Entropy (8bit):	5.842295811527368
Encrypted:	false
SSDEEP:	6144:Jv0Zr1PzZEPnpreL0vGJA+AsQ0K5B+8VKfNO4w3SBkmPyh8Qms9:h0ZRmNK0vG6L0K5B+8VKfNO93S6mPW
MD5:	120845B1CB9B9D8235CDA4BBFB05FC69
SHA1:	4D30CFFE8C52F3C287062CA1031F4C070C255840
SHA-256:	80DCCCD03056F4D658DEE40C90D0D7AC46B08C6516C0187261E62BC623D8EA40
SHA-512:	0B69DE112419777059597A5346DB101F234B89004ECE1A4313B50309A6542FFA337527355E97EF81644E5D24B7AA6818EFDC17235CB1FCB939987300C339A6DD
Malicious:	false
Preview:	.........$..e.\...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....a.....q.......................F...........9.....W.................P....._...........b.................H.......................m.......................i.......................l.................)...........:.........................................@.......................i...........$.....9...........4.....w.................C.....`.....w.................H.....Z.................!.....2.................8.....L.................D.....V.................+.....8.................:.....M.................V.....j..........._.......................R.....m.................".....C.....b...........).....U.....k...........K.......................i.......................{.................;.......................f...........".....4...........F.................$...............................................2.............

C:\Program Files (x86)\Fast!\nwjs\locales\cs.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	505239
Entropy (8bit):	5.448226222916994
Encrypted:	false
SSDEEP:	6144:in4xaYaQzVWZqo5cU+8+4kijSwlTwpJwawobR09vcuL5kPrTEr/d4JTGqVwXzZhJ:i4xaY9r8PjbQ45ErBTpY
MD5:	9BF8555DCC94477ED9FBDD10C62CDA28
SHA1:	9E67FD5CA48A1CFC3CC516811EF0DA008C84B273
SHA-256:	5EDC021B352EBE4EB7AA81B9486E58946CDD0F91B686A08A0DE038DECD5AFF9B
SHA-512:	BE08559FEAF96275B870E086A6AB8EE8C644D65C67F290099D05558E025FB33FAE4CAB68A5EB803BDE032CA09D2E2BAF71F72177B3A53BF518C685826E3F1F23
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.$...w.1...y.7...z.F...\|.L...}.^.....f.....k.....s.....{.......................................................................X...................................<.....T...........f.................-.......................-.............................t.......................u.................8.......................s.................2.................?.....S...........\.................Y...........1.....W.................4.....F.............................m.......................X.......................^.......................W.......................;...............................................).......................p.......................T......................./.......................,.......................j.......................j...............................................~...........6.....D...........U.................!.............................`.....\|.................K.......

C:\Program Files (x86)\Fast!\nwjs\locales\da.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	544541
Entropy (8bit):	5.4912987683783125
Encrypted:	false
SSDEEP:	6144:RAuRc5wJanQ13K7UpHad3gXiasnyX4VyuX3FwN1a265Jl5vRPNKzMgQIDCbL:RnBj13K7UpEgSamyHjw5CDvDCbL
MD5:	1BCD5AF995CC8061CA89637EF72CC1DB
SHA1:	3CEA0D8F5A8D7D0FB16BEB89365D4EA77AA9DC28
SHA-256:	EE1317B4F3A3C8C4CCCA9DFD49479AFF6A22893260A1AD38C1666CDE3DB228ED
SHA-512:	4370CCD37DFFCAA1A84CE7587D04488E034D86A17BC2C390667C1C73DF3A93E00C51E7F1E813FB83AFE1BDBC94B5BEB0DF3D9314752D172D6F7809C5561C85B6
Malicious:	false
Preview:	........C$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................................................................C.....X...........P.................1.......................m.................%.................B.....V...........\.................E.................)................d.....u...........w.................^...........D.....^................................................................-.....?.................>.....O...........\.................).......................[.........................................=.........../.....g.....y...............................................'.....y.......................w.............................1.....j.................k.........................................P............................. .....j.....t.............................m.................%................." ....1 ..... ....0!....h!

C:\Program Files (x86)\Fast!\nwjs\locales\de.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	967007
Entropy (8bit):	4.76798089170347
Encrypted:	false
SSDEEP:	24576:NYc6PdGgx11hxFFc9N6JXDsSYSmqHMuD2fp3Lljr9AVH8+VdQ5tNDQo3FYtf2Uto:NYc6PdGgx11hxFFc9N6JXDsSYSmqHNDu
MD5:	92B4DB2E2A6334F9E8E4C3AD0478733B
SHA1:	BB51F1A509C3F6D5D69B0FD5BDD87632C6354ED6
SHA-256:	FE7B716FD80F8327DB8EE17FB0B2669EBE1EF18D196CB5141BE9210FEC9A0682
SHA-512:	7517FAD4EA889E97C840F2D32F6563C7597CA9FEA19FC7D7D83FF4D4AB47F00985EB49BD1676AF803CBFBA9E9C18771A2869416FB70A3C147F0571F39CAD04F4
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w."...y.(...z.7...\|.=...}.O.....W.....\.....d.....l.....t.....{.....................................................L.....s.....Q...........=.....8...................................R.................=.......................I.................e...........D.....d.....3...........R.......................".....\.................m...........o.....+.......................t................^.....V...........C...................................z.......................6.....v.................g................................................ ....+!....R!....."....."....!#....H#.....$.....$.....%....>%....I&....Q'.....'.....(.....(.....).........P.........y+.....+.....+.....,...."-....y-.....-..........S/...../....'0.....0....v1.....1.....1.....2....f3.....3.....3.....4.....5.....6....J6....t7.....8....E9....~9.....:....f;.....;.... <....0=....,>.....>.....>.....?....c@.....@.....@.....A.....B....tC

C:\Program Files (x86)\Fast!\nwjs\locales\el.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	438233
Entropy (8bit):	5.518587154498282
Encrypted:	false
SSDEEP:	6144:vZI0SrL4yfYyzcMP9ehT/IfaYjYU8z5MKS8BE0RJEl:vZKwG4MOT/oo5bSVl
MD5:	53FB83F1300373ECD284455187B515D2
SHA1:	6081C8849D28FE9AF94C98B3B266F5A8A2F638E5
SHA-256:	9DC4D36ADD6D35462856BCD9F809E2FF54A4E290CBF35B55E01608AD2D923C4C
SHA-512:	F031B27103B879FF641EDF280B94BCF64584459E05C3C6B3E836597628626716ADBE263C8CFA7B3145BE453F0B9CDD14A667FB3BB5F8459039977FA4E26E84C1
Malicious:	false
Preview:	.........%=.e.T...h.X...i.f...j.r...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.!.....)...........6.....>.....F.....M.....T.....[.....\.....].....b.....o.....~.......................r.................".....p.......................q.......................h.......................>.....g.....u.................).....6.............................j.......................`.......................<.............................R.....~.................R.............................9.....H.............................,.....i.......................>.....p.......................G.....S.............................].............................b.......................O.............................Q.....g.......................".....o.......................>.......................%.....\.....w................./.....^.....n.................K.....c...........6.....~.................L.......................B.....n.....}.................(.....8...................

C:\Program Files (x86)\Fast!\nwjs\locales\en-GB.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	442167
Entropy (8bit):	5.509356040959441
Encrypted:	false
SSDEEP:	6144:tsKm5Yuuvn6MVB5TMP9eVX9vfaYIyz45cBSMn0F/B0fwH:ODhadlMmX9KX5QSsfwH
MD5:	06B76AB948526CE0875CD280F5559BE4
SHA1:	D0CB125B7ECD5E1A9DB001C611C21B2F26A46B1C
SHA-256:	49BEFD911A3E1456131FBCF4FCA1C0ACC0A7B711787486253BC7D5E6B38E1C3E
SHA-512:	2BD643032BA787BDFE67AD98DD01BE8B56D38D87A70CFB55E1858B56118C585BC1A6EBA6EA1BD4FBF214E45AD389D98F1058F38BA42E442C5C3DEDC049A4611F
Malicious:	false
Preview:	........?%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.'...t.0...v.E...w.R...y.X...z.g...\|.m...}.................................................................................................m.................,.............................w.................!.....z.......................U.............................].......................#.....H....._.................G....._.................1.....?.............................].......................G.......................:.....q.............................3.....=.............................C.......................$.....m.......................4.....].....h.......................'.....p.......................J.......................E.............................C.....c.....x.................+.....:.......................9.....~.......................8.....~.......................].......................~.................>.......................?.............................G.....i.....y...........!.....R.

C:\Program Files (x86)\Fast!\nwjs\locales\en-US.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\en-XA.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	980342
Entropy (8bit):	5.216674843653677
Encrypted:	false
SSDEEP:	24576:JMpkqpOYzJWp1MoEY3RykXwYMCSXpOPBpPx3ASomwGiWAtyVS1UtuYtP0DvC5z9f:TBt5z9f
MD5:	6CE103C1633F4DF47E246CA9E98F35E6
SHA1:	86F97D6DFE7CE7DCF95EBEF5ABF669F7F8CB01A5
SHA-256:	A71EAE327B57CBB04148D906144583824EEED9DC2CDD150F5B1D19B61685107E
SHA-512:	5A2E530E6245B2D525F5CF3C08DBB901632175A21D927A58AB4974BDA48E59B9531C09938B938A4F1F6D66244DFF3E81E5176DD69445CFD007BFF34CD9D44DFC
Malicious:	false
Preview:	........c%..e.....h.....i.....j.....k.'...l.2...n.:...o.?...p.L...q.R...r.^...s.o...t.x...v.....w.....y.....z.....\|.....}.........................................................................&.....I.....m.......................Y...........b.....+.............................T...........q.....8.......................b.......................O.......................U.............................K...........W.............................>......................._.........................................m...........=.....g...................................n...................................I.................O.....n.....1 ..... ....a!.....!....@"....."....l#.....#....F$.....$....l%.....%....~&....f'.....(....;(.....).....).....)....8..........+.....+....8,.....-.....-..........9..... /...../...._0.....0....h1.....1....:2....`2....C3.....3....j4.....4.....5....36.....6.....6.....8....&9.....9.....:.....;.....;....h<.....<.....=....R>.....>.....>.....?....@@.....@.....@.....A....qB.....B

C:\Program Files (x86)\Fast!\nwjs\locales\en-XA.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	533930
Entropy (8bit):	5.3788313673683525
Encrypted:	false
SSDEEP:	6144:6IH8fG6z4/5iQ8X5p3YRRr5XLFYFIFUm+L:B8+6Z9pmr5bFbgL
MD5:	1B537CA4D3C9A1772F465BAE676BB1F6
SHA1:	E534EB772FDF11086F4637143789E730A4E05575
SHA-256:	A4F80D52562840FBB6C919F2B0E56AC85847463CA0BD90D93C44A4EB03D914A8
SHA-512:	8B305C7DFCADB99A8EB7BA22A5CE429B055741292B02D5D6DF9FE591B6ADFD08C25C401C771F3C7B0900BEB4F9D30E55E58F9DC2F74C21E0365740608B7A9FC2
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v....w.7...y.=...z.L...\|.R...}.d.....l.....q.....y.........................................................................................v.................i.................Z...........7.....U...........B.......................B.....l.................<.....d.....u...........o.................n...........".....L...........).....n.................V.................)...................................j.................(.....W.....r.................K.....Z.................R.....h...........E.......................a.......................W.......................<.....l.....v...........D.........................................Y.......................c.................J.......................r...........).....j.................?.....Y.................O.....h...........5..................................(.................z...........#.......................5.......................7...................

C:\Program Files (x86)\Fast!\nwjs\locales\es-419.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	532503
Entropy (8bit):	5.357881561820044
Encrypted:	false
SSDEEP:	6144:6IB3CiKdyOR5u12clg135gObkpO+EdQ1m+dj75aIrJQh6S6PZ6k8jb:6IBPKRbq+1RopkQ1muj75Xrmhbb
MD5:	4F20600D22FBCFAA0415F214F1858B62
SHA1:	41145AE5255CB4CE20EB7EE57D503D4DE59941C7
SHA-256:	A09CB85E8844301A22500DEB47A8FE42E3943B183CC29CF2D4BAF6EA427FCB30
SHA-512:	288FD234D0563B32E13C2FD67DC59F1FE49B915A7531F72B28A1B09D40454AF7285EE749FD328708E6DEF9F513A85EC7806DEE7E4AB2BC1C6275CC21A71D4969
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.-...w.:...y.@...z.O...\|.U...}.g.....o.....t.....\|...................................................................................!.........................................l...........\.....v...........Y.......................k.......................l.................-...................................L.....j...........B.......................f.................6...................................g.................A.....t.................6.....^.....m...........0.....f.....\|...........H.....{.................C.....w.................0.....a.....l.................D.....N.................;.....K...........9.......................P.....\|.................J.....q.................w.................7.................'.............................}...................................4.....N...........b.................e...........0.....Y...........<.....}.................6.....\.....o...........@.......

C:\Program Files (x86)\Fast!\nwjs\locales\es.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	484524
Entropy (8bit):	5.458569780933525
Encrypted:	false
SSDEEP:	6144:y0PQVDMd4S45K9vMNczUupn1J1ONRS+T7+F4mT7FN0gmFohW4xS/Y03pi802p5ay:yEN4Y9/Xpi/TOpbmFohozp5aj0x
MD5:	E0EE91083792BA6B9200106DAEC4F5A7
SHA1:	14BADA6580DDCCFF3C4CCC3DBC3568E5FCED1097
SHA-256:	770DC93416BDA6716E4D596E80638FBDAEA70F0EF9076A0D174D58C9467C61C2
SHA-512:	D4D733E2DD0EE3DF772D896CCDC1B09940EDF9A42F1A5B378CB1060ED3500E74CF69C79DC092D01BE8409AA9B01CF9685D3365F85EE3367A559371A6229E4020
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.,...t.5...v.J...w.W...y.]...z.l...\|.r...}.......................................................................................................(.......................n................. .......................C.......................C.......................5.......................7.......................G.......................q.......................u.................!.................#.....;...........0.....u.................Q.....s.................7.....Z.....f.................E.....U...........#.....].....h.........../.....i.....w...........0.....a.....i...........).....\.....k...........*.....^.....f...........N.......................O.....n.................B.....f.................6.....n.....{...........C.....w.................F.....`.....q...........5.....].....u...........A.....y...................................}...........C.....h...........D.....z.................'.....C.....W...........%.....S.

C:\Program Files (x86)\Fast!\nwjs\locales\et.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	787089
Entropy (8bit):	5.051202428896656
Encrypted:	false
SSDEEP:	24576:i3x8u313uyqoe+s4q7CRmXzoT4WmdAQifaQ2XxFHGk62Bh96MX9OCRdpxHsAQi6A:i+v5ec
MD5:	68AD7F55117CCEC25D6B244662AD5018
SHA1:	FA1CCD5797A0218B632801B2A0F54929C0ECA622
SHA-256:	42E9643F8DE704B53F074F53FA7DACF5F6C6F6642C6CE0CD98294A91BAC26B80
SHA-512:	A6926C9BCCFB62B0506E7A45ED56D4FC4A0EDF983EBBF3134C4AB6C2FF1C2AF66BA82E7891B6F1530B927F72FEA43AB0A82DE9D70746DCD67F31A1B5CBF64FEE
Malicious:	false
Preview:	........c$..e.....h.....i.....j.....k....l.5...n.=...o.B...p.O...q.U...r.a...s.r...t.{...v.....w.....y.....z.....\|.....}...................................................................%.....A.....k...........w.....H.......................M.......................]...............................................K.................=...........#.....D...........}.......................Q.................]...........I.....e.......................................................................R...........[.................0.............................%.....g.....~...................................D................."...................................V.....x...................................M.................P.................%...........l........................ ....n ..... ....B!.....!....3"....y"....."....o#.....#.....#....i$.....%....e%.....%....&.....&.....'....)'....'(.....).....).....).....*....R+.....+.....+.....,....9-.....-.....-..../......................../....A0.....0.....0

C:\Program Files (x86)\Fast!\nwjs\locales\fa.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	492464
Entropy (8bit):	5.425658384076431
Encrypted:	false
SSDEEP:	6144:ilaR0mV19j/WJ8eG6KZ8VreKRJTsbTIOEiTak9LQ53YW2HrEaWacvr3OW3MWO4Ap:ilch19qJaQetax53YtHrEaWa2YuYn
MD5:	A7A39FB45BF28A1704F1088784ED9B21
SHA1:	8F6021070CFC88BDFCA8E628BFD8DCE4D5234912
SHA-256:	6625723666A0433A29F9943E8B3DDEBDF676F38ECD4EECA1EFBC1FAB7E19CE8D
SHA-512:	3E3C20BB58C701E72CAF59E78F23FC2A2A9F742986C7655760BFAD7CE775D423B72C8127964A97CD6DFC3082B2DC46F20F129FECBA8C4A5BD7EE2E9B85D623FD
Malicious:	false
Preview:	........R$..e.....h.....i.....j.....k.....l.....n.!...o.&...p.3...q.9...r.E...s.V...t._...v.t...w.....y.....z.....\|.....}.....................................................................................%.....>...........C.......................q.................&.......................M.......................W.......................5.....~.......................Z.......................}.................7.......................3.......................6.......................V.................$.............................Y.............................i.......................9.....c.....m.................L.....Y.................!.....,.............................j......................._.......................\|.......................I.......................?.......................=.......................G.............................d.......................\.................5.........................................0.......................,.....n.......................5.............

C:\Program Files (x86)\Fast!\nwjs\locales\fi.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	556786
Entropy (8bit):	5.192882907827124
Encrypted:	false
SSDEEP:	6144:6fvFTGCvtu/Zy3DQBIBg0/S2FCvenG2Z3LRmI5Fwm0InAREt8:Y9j1aslUI5amG
MD5:	5A029FBC334FB96F05BA7CB40CBF77FA
SHA1:	993AD2E2C05C5B6374DA6547FE9F966F8FA33FF0
SHA-256:	02174D6A13714498334FCDCFB6F78007756D65FFD69F2984C4E010D293A0A264
SHA-512:	D10309197A9AE36A250944C0BA36DA184FFDCF2DD21874E1EAF3C1075057600219EA6B986F31B9CA727349E07262159B9AB8D7069946B1B532819202BCD3BE0D
Malicious:	false
Preview:	........ %*.e.z...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w."...y.(...z.7...\|.=...}.O.....W.....\.....d.....l.....t.....{.......................................................................p...............................................t...................................N.......................[...................................O.....~.........................................A.....W...........A.....~...............................................x.................Y.......................O.....w.................8.....b.....q...........N.......................k.......................s.......................t.......................v.................3.................#.......................3.............................r...................................T.................R.....\|.................t.................P.................'...........[.................j...........9.....j...........J.......................P ....x ..... .....!.....!.....!

C:\Program Files (x86)\Fast!\nwjs\locales\fil.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	578290
Entropy (8bit):	5.380153051203165
Encrypted:	false
SSDEEP:	12288:jmDHjPf6ZLiXrmDDq6QuaMV5uKzxOt11Z8MYnYJYQgIRyz+X5Dx0JSWdv40wCU7p:kv6VNe5Mw
MD5:	DAF38B05615CF2B32110153A87F00A49
SHA1:	5BA7AE47BCF97F25CA4AE39F2719CD167525B7A6
SHA-256:	F27B84A739C6F37556506BD6B6681FA347B91D8852BFAAFB8C2388240D61B4E3
SHA-512:	24F7F127200BEED942F55D6A5C8A8EC0F395BDDE5005E181578C4F82774145C87FF7DF31AE3ED5E395BD6B4415B34F7DDD404FD916953D3DBCA6A2AC541D7DB5
Malicious:	false
Preview:	.........$..e.`...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....~.......................R...........r.................{.................c...........H.....d...........?.......................p.........................................[.................6...........!.....d.................f.........................................T.................%...........I.................'.......................(.......................".......................:.......................S.......................V.......................C.......................<.......................g...........K.....b...........(.....V.....t.................,.....J.................P.....l...........w.................S.......................S...................................R.....r...........p.................^.................6...........A.......................V...............................

C:\Program Files (x86)\Fast!\nwjs\locales\fr.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1122667
Entropy (8bit):	4.3400459610777204
Encrypted:	false
SSDEEP:	3072:mgmU7sGiPkPYBxz9AcSIMKHIwjAwREJKVMjNiT7llj63rhJWlPvKMi5eQWiYJsWR:mg0cPKz9lSXRjMkaL258Gh1dRu
MD5:	114BE9E725B3E34F26798EEE03AEB7A3
SHA1:	AE2B4E62888F8B03FB8D896AEAB6C3EB8D11793B
SHA-256:	F95506C669D3994DE484E61529E1EF56DF8F7B88E28A9DDD9F9B3A2FCA958FC0
SHA-512:	4EAFDC76D4B06EBB0D1405F3D68CE518BE925C4444234B5ACADE27CB07F29A2E11DE6093389A89A468D87A55638DC38970EDDC4355D52D0FB45F3C8CE8251D05
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.!...t....v.?...w.L...y.R...z.a...\|.g...}.y...................................................................................,.....d.................n.................^...........".....J.....-.............................'.....P...................................A.......................Y.............................................................................I.....u.....r.....m.........../.....R.....`...........H...........r.......................L.................S...........C.....\.....(...........A.....l.....(...........C.....e...... ..... .....!....-!.....!.....".....".....".....#....W$.....$.....$.....%.....&.....'.....'.....(....;).....).....)....?...............+.....+.....,....4-....Z-....e.....0/...../.....0.....0....w1.....1.....1.....2.....3.....3....-4....-5.....5....q6.....6.....7.....8.....9.....9.....:.....;....z<.....<.....=.....>.....>.....?.....?.....@.....A....8A....WB....4C.....C

C:\Program Files (x86)\Fast!\nwjs\locales\gu.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	693623
Entropy (8bit):	4.662873246769769
Encrypted:	false
SSDEEP:	12288:nBISxF6XshWxF28kO0hC6r6TkvWqo/5HEajACEXbheQCapGr5hA3o9dBj5HlmmEq:nm++1L5oo1
MD5:	6C6DBBF3DADE579939E27728DF66EA2C
SHA1:	68BC11E532FEE1AAD3668F510CD276229B3EC7F0
SHA-256:	08A95A59D8AD6FD28D52723F5EF5E0796265B2518DA44236CB4E5FC0B90FD6BD
SHA-512:	594C2C897D612AF6CA8AC25FEE2960EBFCB6DD90CBBCC0324245714137EBF77369879D0E28243A370AB429ABD27768BAB860162383E31B8BB1A10667FF129466
Malicious:	false
Preview:	.........$..e.>...h.B...i.S...j._...k.n...l.y...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................#.....+.....3.....:.....A.....H.....I.....J.....L.....c.....\|.................w.....-.................a.................8.........................................[.....}...........r.................?...................................7.....g...........~.............................m...................................k...........2.....K.......................?...........%.....P.....}...........g.................C.................2...........$.....d.....w...........m.................<.......................m.................-.................V.....i...............................................9.................8.....\...........S.................a.................Y...........!.....B.....[...........>.....o.......................................... .....!....>!.....!....f".....".....".....#.....$....\$.....$.....%....o%.....%.....%....x&.....'....e'

C:\Program Files (x86)\Fast!\nwjs\locales\he.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1188400
Entropy (8bit):	4.311084623750104
Encrypted:	false
SSDEEP:	3072:awUn/nDN4+YNa2yG8cmV/BB0ZV1d1OuOXRLXW3Jpj0TByntDPtDlEpgs4u/8Wiwz:awKUp8gS55k5RhgN
MD5:	A4F071EA16CEBD5EE301DACBC617B9C3
SHA1:	CF46E5E856FAC54382B04DAA7FCFC325A72DAB12
SHA-256:	942AE41EEBD2839A2C00E2B4C9FA53DAF3730CF97AD68FA3132A42AF03D8B2A8
SHA-512:	A2E8AC957BBF847C33347660B06D2F12758A882E12A8CFA460FC1729FC0FDF240A381EF277DF79ECFF1FE95C7C56E2ED1B71B31AD455565EB89580B00FC0F620
Malicious:	false
Preview:	........y$..e.,...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....:.....\...........................................................q.............................B.....5.............................@...............................................5.............................B...........h............................a...............................................................................................l.................}...........W.....p.....G...........l...........\...... ....n ..... ....=!.....!....="....Y".....".....#.....#.....$.....$.....%.....%.....&.....'.....(.....(.....(.....)....-....z.........A+.....+.....+.....,.....,....x-.....-....(....../...../....K0.....0....Y1.....1....(2....g2....[3....74.....4.....4.....5.....6....L7.....7.....8.....:.....;....5;....C<.....=.....=.....=.....?.....?.....@.....@.....A.....B.....B....DC....AD.....E.....E

C:\Program Files (x86)\Fast!\nwjs\locales\hi.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	536228
Entropy (8bit):	5.515391862763459
Encrypted:	false
SSDEEP:	3072:2I0Cw2NeNyfAXqYPTXeXC/i0qraKbuc6baBV08L8buo+wKxr05Yp/ADtOSAqb+HS:/Jw2Myo5uSK6VyOcwav+3mJ5UN72RwGc
MD5:	886D145D04CB1AA7CF6CAD7462412B39
SHA1:	754B7A17BD17CCC182623B7CEA7680B0D4191BD3
SHA-256:	F0F4AD264CC98AD734FB9CF61301E39EF76445F937FE222165E6722E366D3831
SHA-512:	F38F145D4F7C7735AB0FC6539F2D18AE12AE59E92513FD83403020FAA74DF6BAAFE86E503B5ED39249C2B537F6B9AF0B1E3E735E764EB3BDE38CB109365140FC
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.+...s.<...t.E...v.Z...w.g...y.m...z.\|...\|.....}.......................................................................................................5.................".......................U.................4.................D.....Z.................F.....V.................$.....4.................9.....^...........[.................6.......................]...................................>.....Y...........r.................W.......................5.............................G.....h.....x...........;.....r.................6.....d.....s...........>.....v.................3.....^.....n.................F.....V...........F.......................L.....n.................2.....Q.....q.................G.....^...........=......................._.......................g.................9...................................f.....x...........`.................+.............................b.......................n.......

C:\Program Files (x86)\Fast!\nwjs\locales\hr.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	577216
Entropy (8bit):	5.643930100645207
Encrypted:	false
SSDEEP:	6144:Ftqi2u7XLYTtOLFIHPs6TBAr7katVIB5HwzFZfpOHYGhQU+zGXevAu5ARDCetGzH:FtD7DLGiIACB5HwzIdLIAu5tg2
MD5:	78730A55F4734A3FD79DB335B2F92773
SHA1:	297069635184682E55D1A9A1B81CF197E0E22427
SHA-256:	39D86CD35876AE9DE3A5A85B81C1171E2011AD64AEE7F4BB6954B49C91C25AE1
SHA-512:	0325C92776C99C0CC8FB1A28DF3EE69C2414D3A1074918F969691D26F8BB89C4F5694A590F93D5ED82EB06A2B1A3F3E410722FBA2496FB41E842B0B397C06BCE
Malicious:	false
Preview:	.........$..e.H...h.L...i.]...j.g...k.v...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.............#.....+.....3.....;.....B.....I.....P.....Q.....R.....W.....g.....}.................T...........u...................................f...........L.....f...........^.........................................(.......................{...........-.....^.............................s...........(.....:...........!.....c.....s...........v.................k...........W.....v...........j.........................................).......................q...........M.....d...........n.................>.................+.................W.....l...........r.................C...........(.....>...........".....I.....e...........0.....\.................L.................4.................&.................................................................c.......................%.....4...........[.................s ..... ....:!....V!.....!....$"....U"....q"....."....b#.....#

C:\Program Files (x86)\Fast!\nwjs\locales\hu.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	476028
Entropy (8bit):	5.379776378917239
Encrypted:	false
SSDEEP:	6144:uYpLKyTWkaF7DsFPgvf+cVnjHFl6mik4c158ghSwkK5NcSz97IEji4QH/:JKDlDig5VnjHF4m34C58ghm/
MD5:	FC1B7DE05FB68AF250C9C5970FDAA3A6
SHA1:	40110A5FC5042D8CE4A9B97410B8F73039697419
SHA-256:	4085C8CC4DCEC822A496CD330AD974322C9EDF83C5B752596960DA1FBA809704
SHA-512:	F15703EB35D007578BF9DAF0E0D52F0F8DAB72CF5E013EE9A648CB8B5F054DAFB1CD2543F220D63BDD8594BFA552446BD0C854BFB7AC300F40CC27248677336F
Malicious:	false
Preview:	.........$..e.t...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~...............................................:.......................Z.......................K.......................g.......................j.......................H.......................2.......................:.............................z.......................Y.......................Y........................................."....._.....z.......................C.....O.............................v.......................].......................8............................._.......................F.....x.................9.....o.......................".....3.............................\.......................=.......................!.....].....w.................7.....e.....t...........0.....l.................}.................S.......................f.......................<.....}.......................k.......

C:\Program Files (x86)\Fast!\nwjs\locales\id.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	532202
Entropy (8bit):	5.283769478628022
Encrypted:	false
SSDEEP:	6144:OauoBrrffQgCI1xO2+NjXeNDYISIqRRRsO1StbdRT9TjexvqiBELqbPpzHi9fLwx:OLoBnffQgsRAPZqV8bmEKUwA5m4oD
MD5:	19925C7650E0D4A1109C29B7F7081712
SHA1:	98D6BFADF1D3987C048A691D6E3B92B4C6795677
SHA-256:	3509A16F733840F0C7DD20BB9D181473322EB7C806218552C125800812C4F329
SHA-512:	8096FFB842466640234F4385A26387C6636626E179D807B629870356E7AD858BF2D9D9F463B6E13126B34EB41363F31E32F2DB4D292C0FCB96974D631172B84D
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...\|.P...}.b.....j.....o.....w.........................................................................................q.................R.................,.................!.................a.................".....I.....W.......................-.................F.....p...........h.................R.......................s...................................9.....R...........L.................!.....m.......................Q.....{.......................A.....L.................V.....h.................D.....O.......................#.....r.......................K.......................T.................&.............................O.............................^.................".....{.................].......................8.....v.................D.............................).................6...................................Q.....g.......................).................4.

C:\Program Files (x86)\Fast!\nwjs\locales\it.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	645756
Entropy (8bit):	5.721459654042235
Encrypted:	false
SSDEEP:	6144:dbWYR6j5cC6JtnRRI6ZyQ2IrWb45h8dxVd:df2cT346ZyQ2Ir/5h8/
MD5:	2359AB9C67CC599B81D414F475D3AF4A
SHA1:	318C6CF3711B28A97732F334DF5679500C1A92CA
SHA-256:	69BBAE5376A179B7CF38E513F497A3E953BBB3B50A90FFBC7F174DDF6BF36538
SHA-512:	04B742830B383198A69B5008A8603003DC88EDE7FA49A3BE9F35BB5C6459DE1EFA2E6CA8D7F162B97E35619E051F1F07D4AFEB45DAE2251D8732D6F5B44E5C32
Malicious:	false
Preview:	.........#b.e.....h.....i.....j."...k.3...l.<...m.D...o.Y...p.f...q.l...v.x...w.....y.....z.....\|.....}.....................................................................................+.....I.....j...........%.................!.................T.....l...................................v.............................3.....E.................@.....P...........L.................:...................................2.....B.................N.....]...........>.....u...........-.........../.....J.................0.....L...........M.................;.................$...........^.................Z...........,.....;...........7.....z.................w.................J.................+...........d.................d.................4.................K.....l...........X.................`...........$.....^.................8.....G...........L.................!.....\|.................t...........\|...........(.................. ..... ....+!....q!.....!....."....."....."....."....e#.....#.....$....I$

C:\Program Files (x86)\Fast!\nwjs\locales\ja.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1277291
Entropy (8bit):	4.250575799494213
Encrypted:	false
SSDEEP:	12288:OJEPCpA6GYIQJzMUk3Q7X5DiUgcyE+hTKYB:Oon85OUK
MD5:	44E9E82743A4CBFBB4C0B435FEB6A311
SHA1:	6E0961D9A362F1AA4A1CEA067CE33CF6236BDDCF
SHA-256:	FC48834CC2D91E3E3C4BA03427D2F7017B8A1047BCD02F54F00162FCC1B8E892
SHA-512:	D2A8BAD4CC541B1DFD692AF0B26C3E4AF67D63B996339A3E76CFFBBCBAAED13E4DFFC0A94C0566C590033F1838F02CE7A92C392402C71978B4873F5F574AF5D4
Malicious:	false
Preview:	.........$\|.e.....h.....i.....j.....k.....l.....n.....o.....p.+...q.1...r.=...s.N...t.W...v.l...w.y...y.....z.....\|.....}...............................................................................U.................`.......................7.....?...........N.........................................S...........O...........F.....z.....g.....0.............................g...........(.....7...........o.....u.....I.................'.............................5...........G.......................6...........h.................. ....6!.....!.....!....K"....."....4#....I#....,$.....$....m%.....%....{&....5'.....'.....'.....(....8).....).....).....*....f+.....+.....,.....,.....-..........6.....X/....W0.....1....F1....)2.....2....G3.....3....44.....4.....4...."5.....5.....6....$7....V7....~8....F9.....9....[:....C;.....;....H<.....<.....=.....>.....?....o?.....@.....A....JB.....B.....D.....E.....F.....F.....H....,I.....I....bJ.....K.....L....%M....rM....?N.....N....RO.....O.....P.....Q....SR

C:\Program Files (x86)\Fast!\nwjs\locales\kn.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	542325
Entropy (8bit):	6.086545361822224
Encrypted:	false
SSDEEP:	12288:AbzQTckyVzNRrPyOjXMq5t8OQ4EVhGm6eCqV5b7fuhs8Ptdq7hUomrOe07F:2zQTccwc5F8qb7F
MD5:	356B9A6391D89B870C09DD5EB00DE331
SHA1:	0E2D88BE86C0B66F3C1BD9FCA7AB7A47E38B5EB9
SHA-256:	F87B6BD2FA24DC68B7AD565EE50028867A5C39AE6EB96006848C737F3C69EB64
SHA-512:	5CCFD7E0AC6D1F0D917F48D8429C32E8029DAAA68E2000A4291540DB51D5613FAD3200AE9DDB8FDBF86BA470A7056594977735AFA99EC2FA1857505B196B609C
Malicious:	false
Preview:	.........#}.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.$...r.0...s.A...t.J...y._...z.n...\|.t...}.............................................................................................................S.....q...........J.........................................E.......................c.......................h.......................w...................................).....=.................&.....3.......................#.................-.....=...........@.......................V.....z.................7.....\.....l.................7.....G...........+.....i.................I.....}.................T.......................W.......................U.........................................L.......................<.......................G.......................a.................5.............................Q.......................T.......................g...........*.....8.................B.....Y...........!.....P.....c.................6.....I.................:.....M.......

C:\Program Files (x86)\Fast!\nwjs\locales\ko.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	582911
Entropy (8bit):	5.634943315491091
Encrypted:	false
SSDEEP:	12288:B+YBAZAMAAxqNmZ9ffdV575zk1rWCo6S6U:BDzMAsXV5m16Co
MD5:	1A2B3A04973DADE71E963BF4460967BF
SHA1:	7F24D5C7FE8EA8533432DD9801B50173658ED496
SHA-256:	9378B20C9413D9B2A870F146F7A151576670DFD61498A71943AF3AB4A99DA44C
SHA-512:	D42E051D2D19264ED961747283595518E3F21346362FCFED9A5D37683FDDDBF043D10B3710AB80FE41011FC0F59AA9A9F38F95B46D67DEF2194F842EE9726FBD
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v. ...w.-...y.3...z.B...\|.H...}.Z.....b.....g.....o.....w.......................................................................n...........\.....w.........................................a.....{...........r.................<.......................{...........7.....N...........H.....\|...........+...................................<.....M...........;.....u...............................................l.................l.........................................F...................................=.....P...........D.....~...................................W................. .................;.....I...........\|.................`................. ...........1.....k...................................e...........".....U...........,.....N.....a.............................{...........B.....f..................................." ....` ..... .....!.....!.....!....."....b".....".....".....".....#.....$....R$

C:\Program Files (x86)\Fast!\nwjs\locales\lt.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	581278
Entropy (8bit):	5.629069008321948
Encrypted:	false
SSDEEP:	6144:IWud1ph8fFsuRQ28cq39V3yNDtVF6w+HT7c49bkSZub3v5OycNpEX95gosryEAYm:qJFnF7HTw4Okmv5UEN5KyUZhm
MD5:	40066BB6E0592D9892B5C3B09EF19934
SHA1:	2DAAA058A3DF0CE9C480E241EE6D535CCE801B39
SHA-256:	0D2AB7309266FD3C16C3CFC80AF4EF6D1D5FA6F3B9B9DF11A7FF7B9C683F04F8
SHA-512:	83B950285CD13779272FE7BB77F1A299AD872B9569C06A91423F782F3A45AC07965CF5BF32FC503B8E393D4FB73674F359A0462C1315F39F905415DBE4B32875
Malicious:	false
Preview:	.........$\|.e.....h.....i.....j.....k.....l.....n.....o.....p.+...q.1...r.=...s.N...t.W...v.l...w.y...y.....z.....\|.....}..................................................................................... .....<.........................................P.....c.........................................U.....t...........S.........................................K.............................a.................D.................*...........".....[.....n...................................&.....v.................b.......................k.......................y.................1................. .................6.....H...........6.....m.....\|...........e.........................................~...........q.................L.....g.....\|...........{.................1.......................f...........6.....p...........=.....].....v...........z.................F.................!...........x.................v...........1 ....W ..... ....R!.....!.....!....."....n"....."....."....0#.....#.....$

C:\Program Files (x86)\Fast!\nwjs\locales\lv.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1328122
Entropy (8bit):	4.28570037951358
Encrypted:	false
SSDEEP:	12288:VAZnI3A2cMmsbbAxeIAxbFDqxn9mMD1UM6DdP6h+4rWZ3elhV5047dCBs/fa3jWp:WI3z5fkUZ3eB5047gs/C3E
MD5:	6D9AED906CDB7F873A68D6CBEE8E9B8C
SHA1:	6B823616FF775214B39947C10EC24F57A7C80265
SHA-256:	EB3B3898B2774ACDD4701E8F689A6F1F0037FF8E00443990992E1F23B3342831
SHA-512:	B2ADCCD595F9AEF333BA6BEFCCCBB401371659FDED1443E9ADA3A19477686E995FD7A06A670747D0522FA031449106C1C8AC1FF5A158E11B44A27DD86006F89B
Malicious:	false
Preview:	.........$~.e.....h.....i.....j.....k.....l.....n.....o.....p.'...q.-...r.9...s.J...t.S...v.h...w.u...y.{...z.....\|.....}...............................................................................`.................R...............................................a.................................................................Z.....K.....,.............................6.......................................................................q.....................................................0............ ..... ....,!.....!.....".... #....N#.....$.....$....2%....f%....H&.....'.....'.....'.....(....G).....).....)..........+....!,....U,....A-......................./....g0.....0.....1.....2....=3.....4....A4....+5.....5....]6.....6....Z7.....8....N8.....8....l9....9:.....:.....;....@<....(=.....=....F>....?.....?....R@.....@.....A.....B....LC.....C.....D.....E....GF.....F.....G.....H.....I.....I....$K....+L.....L....;M....iN....dO.....P....WP....HQ.... R.....R.....R....)T....8U.....V

C:\Program Files (x86)\Fast!\nwjs\locales\ml.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1093518
Entropy (8bit):	4.316650086169052
Encrypted:	false
SSDEEP:	6144:X7N3wwLpfU4zI/OhM0faJqGHi/ZN8853pj6PF:rpMNB0faJqUihNR53pj6PF
MD5:	B05DA3E44EC560BBCB731CC7FDCDFF1A
SHA1:	B99910347E6512E4E3ED2134FF673ECE441F38C2
SHA-256:	AB8BDA8C04759A737797978EF1AC7D070116E340BDEA977A62C10176453B8B57
SHA-512:	EF7CE42A913D5F57D059CEB9170767CB650BBE176906204D8C8002268210AA09FA008C9186EFD48A2320094972BE286DCFE70271236D1B9D71FF2BDF41F37FFC
Malicious:	false
Preview:	.........$..e.B...h.F...i.`...j.l...k.{...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....@.....G.....N.....U.....V.....W.....\.....~.......................c...........Y...................................$.....Q.....'.....x.....~.....{...........4.................".....d.....0...........d.................l...........&.............................%.....(...............................................3...........................................................E...... ..... ..... ....)!.....!.....".....".....".....#.....$.....%....f%....N&....$'.....'.....'.....(....G).....).....).....*....G+.....+.....+.....,....Z-.....-.....-....$/....M0.....1....N1.....2.....2.....3..../3.....3....t4.....4.....4.....5....^6.....6.....6....&8....!9.....9....7:....!;.....;....?<.....<.....=.....>....=?....~?.....@.....A....@B....sB.....C....#E.....F....3F.....G.....H....1I.....I.....J.....K.....L..../L.....M.....M....)N....RN....sO....gP.....P

C:\Program Files (x86)\Fast!\nwjs\locales\mr.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	498590
Entropy (8bit):	5.2545072995804
Encrypted:	false
SSDEEP:	6144:jB+BJOsHx/eSTsewuZnhasxijClMlU0WsUcSc5oo/LOM6QlE0T:V+BV/JfnRxiPlUxg5bKMT
MD5:	2CB91327F761143E84A1B5B5D3065E96
SHA1:	AB43F2FC30C27D968A48A0422EEA56BFA7B77623
SHA-256:	241F8F0FCD42B5A0081A95564541311D6BDBECB1639671181C151DD34DAB055B
SHA-512:	3EEAE835F4E9F51D5D0475CC7E0027E9504A7ED2A65C2B0D452771FDF87EF1861C706194F3D44C7966FAC3A875B12F1534E66AB2471D70EC95277EC5356DF9BC
Malicious:	false
Preview:	.........$u.e.....h.....i.....j.....k.....l.....n.....o.#...p.0...q.6...r.B...s.S...t.\...v.q...w.~...y.....z.....\|.....}.....................................................................................-.....D...........K.......................\|.................3.......................e.................(.............................s.......................u................. .................T.....l.................9.....B.......................#.......................-.................q......................./.....A.............................f.......................L.......................Y.......................R.......................B.......................2.......................@.......................c.......................K.......................,.....x.......................a.......................A.....Y.....e...........&.....W.....f...........3.....t...................................V.......................n.......................J.............................r.......

C:\Program Files (x86)\Fast!\nwjs\locales\ms.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	485305
Entropy (8bit):	5.427430274456003
Encrypted:	false
SSDEEP:	6144:Y2OH60YwXEAS3e5hzahx3zwOp7fjB9ghm4C9/e8G5yV4VVzhhdCrQjWj:LOgkVch1zwOp7fjBcqW8G5yV4V9OQjWj
MD5:	6902EE821D9669DCD5A4217B3EB2257E
SHA1:	97A9EF051A83A56F3DE3A01503E6F4C06702E5C1
SHA-256:	B88FAA8B9A24EFEFA383AA8F75330C279FCEDD5766B05E5B4FD0ABFA6C9D9623
SHA-512:	1AEDB4AA16C616DE8CA132424D3ADC3308AB01C9DABBA950072B51746CB2F820BB1804979397D4ECEE8B6B6ED60F3058FC516CDCB590CA7DA1EB130DF68B382A
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.#...v.8...w.E...y.K...z.Z...\|.`...}.r.....z...............................................................................................!.......................].................5.................#.......................1.............................x.......................y.................(.................J.....m...........z.................T...................................U.....o.............................N.............................o.......................R.....w.................N.......................Z.......................`.......................U.....~.................L.....z.................r.................(.............................d.......................I.....k.....}...........j.................;.......................A.......................V.......................d.............................-.....w.................h.......................C.....`.....n...........8.....g.

C:\Program Files (x86)\Fast!\nwjs\locales\nb.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	499939
Entropy (8bit):	5.367097595300497
Encrypted:	false
SSDEEP:	12288:3cwm9ullbWusag/P5q9C5stoxFGp3wRQOTn:1m9ullbWust5q9C5sqxFGp3wRzD
MD5:	0E4DEB9E17F3D9FEA1FD8FB706E96989
SHA1:	31B5BED538C5B8C93E9D1FCDB6CE1EFF1280682C
SHA-256:	BFB94507F74535CFCDF7FFC6F9F2988553EB0D1C7FD9B82C6C4EEE03AC1A9C89
SHA-512:	C29EE57EC12201D01CE8D47ADFAED10A83E4B69B77726AE071A675F6972DD1F843B1BDE29A504B5968C97EBEFBC60AF2ACAA0BE93D971BB7F9840C65E9142B54
Malicious:	false
Preview:	.........$..e.l...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....z.............................G.................&.................2.....F...........-.....r.................U.......................M.....v.................1.....Y.....g...........?.....v.................o.................&......................./.......................Q...................................Y.....r.................5.....I.............................k.......................Z.......................\.......................A.............................s.......................h.........................................@.......................1.....\|.......................j.......................v.................4.....{.......................q.................5.......................l...........B.....S...........A.......................s.......................\.......................R.......

C:\Program Files (x86)\Fast!\nwjs\locales\nl.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	560590
Entropy (8bit):	5.754015492472574
Encrypted:	false
SSDEEP:	12288:E1CokumWoOB/V4U/FmfQfXU6HAEb9EP3CUd1e3m0UQEmw1Qhisf5eKt4HtzJ:E1CG4+H01Qhd5ud
MD5:	75560AD7D60EA2B46A3023817B290E71
SHA1:	9E58502C56284BF4EF2CB533283C4F22E1670C47
SHA-256:	E88363E98339C09F933A0D73BB9FDE15039E2DC5C47FDECA80CC9E1FF81DA7A8
SHA-512:	1EB1BB35B5AF35C9943D1C41EC4A8057AD96B83F7C260AA0A1533EA63DF58D50DFF3C5E3C1FE970CF74785D60AF50EF628E540954D5A736B6E06DF63AC8FA033
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.#...v.8...w.E...y.K...z.Z...\|.`...}.r.....z...............................................................................................(.......................{.................Z...........$.....B.................F.....\.................=.....Q.................P.....b...........9.....o...................................h.......................~.................&...........#.....n...................................w.......................7.............................I.....j.....x...........A.....z.................I.....\|.................C.....t................./.....[.....k...........'.....[.....l...........V.......................U.....r.................2.....S.....y...........(.....i.....~...........P.................#.....i.......................Q.....w.................p.................R.................,...........".....e.................J.....w.......................7.....F.................\.

C:\Program Files (x86)\Fast!\nwjs\locales\pl.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	525928
Entropy (8bit):	5.4293810403420535
Encrypted:	false
SSDEEP:	6144:1k+umr1MJbNBXBLEsf7gyq/55KJuS00sRhkFYK:du5K5sJfsRKFR
MD5:	491724E51087BA846E4A944CCA0814B5
SHA1:	9CF9C58C6BA95DC88AF32B68D23511CC9286B190
SHA-256:	9B249F2F8FB63E45F7BC6BBA802D2D852BB2F3EB43F83994E79B26D90F667881
SHA-512:	49F18BF9EF75BAA4CB01A56C2820ABC909E9B9C213EC1BA4BFDD1337AD9515F0CEAB8E31C89E3749634F841545CE1E7E5BDB854F5273E7A2BAC8ED9147C2A4F0
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s."...t.+...v.@...w.M...y.S...z.b...\|.h...}.z.....................................................................................................).......................m.................I...........5.....R.................Q.....f.................6.....F.................%.....>...........2.....x...................................x...........$.....5.................:.....N...........<.................4.................$.....s.......................S.......................Q.......................T.......................W.......................9.............................g.......................\.................).......................^.......................-.....y.................P.....{...........$.................$.....p.......................v.................@.......................~...........X.....n...........o.................H.......................".....n.........................................O.

C:\Program Files (x86)\Fast!\nwjs\locales\pt-BR.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	528471
Entropy (8bit):	5.404523022029093
Encrypted:	false
SSDEEP:	6144:bbsPm2EkN8QlFYF8fieJVJJxham4kR5fVCO5aKEHSRPF:bbx21slO5aKUSRd
MD5:	EBE41C9A475C65AA4DA33EB423CBFE79
SHA1:	78D07B2E5617DB8D9FFAA03A95138662FAFBC493
SHA-256:	284E2E6B7FD6A247F1DDD2860BCF2FB4F4C6ECF34ED68D8F7A8C2049AB61E2CC
SHA-512:	3B09F4F54B25AA2209AC8DEBD4D642201AB198956502DF39AD4F39EBF3A0520E5B8874E74EDAC98B41E328FF4875F7EC4039D2B4EABBBAFCF548715CCE4B96B7
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.#...q.)...r.5...s.F...t.O...v.d...w.q...y.w...z.....\|.....}...........................................................................................*...........>.........................................k...........K.....f...........Q.......................\.......................=.....j.....\|...........j.................P.................(.................A.....N.................M.....].........../.....{...................................[.......................F.......................>.......................N.......................V.......................A.............................p.......................^.........................................>.............................V.....p.................E.....r.................e.................4.....{.......................e................. .....q................._...........:.....R...........B.................'.......................6.......................).............

C:\Program Files (x86)\Fast!\nwjs\locales\pt-PT.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	546764
Entropy (8bit):	5.454463666754963
Encrypted:	false
SSDEEP:	6144:vKKk0VgRYLfXSAfTCeVootxZIXPK8XGp5ajoUs2f/fO53:v7kAfXSAm4oojZEi8U5koU/Y3
MD5:	28F53F79B903484B19E9058A0185EF62
SHA1:	BD557C05F6B3EA55BC346704414872980198BC9D
SHA-256:	CD38E5A8A4C3FEDCFCD1DE513BCA330E42BB1F765ED8520F14A9D0CEE05C5014
SHA-512:	A0D0EBA1778BE43E5D7DCC469C0C11FFFFB944CDFB13B39E907DBA15A153C8840D499BDDA4706B60FE369036A7AAD77307759F46DAF7D7FA6EC30175026A6A7C
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...\|.P...}.b.....j.....o.....w.............................................................................m...........K.....e...........&....._.....s...........z.................k.................5.............................n.......................}.................E...........3.....x.................z.................B.......................Y.............................%.....z.................G.....e.......................=.....Q.......................&.......................&.............................q.......................K.......................*.......................E.................'.....y.......................I.......................H.......................c.................N.........................................-.....H.................L.....a...........^.................S.................).................8.....P.......................(.................e.

C:\Program Files (x86)\Fast!\nwjs\locales\ro.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	894248
Entropy (8bit):	4.853777212022142
Encrypted:	false
SSDEEP:	12288:fT6txnsfQjRo4Y+7VMh/K69zJ9fx+aAmamqSGsN0zqcnYH8eXN2hPO3j/7rbzvM5:f0eno596E3
MD5:	EC048E111E16BB45E5DFAA79E2988B61
SHA1:	F3DDD9903C10C8A9813B8E43898CC746C343DD1B
SHA-256:	F9DB82DF1F589383B7C69AE86855657D2C129E45D28D88D5EB9C231C7673FD19
SHA-512:	775CC311258370519A8F037E55AFDA3F9B2DFEEFC5DC2F5CEE277C114CABB07284080C9686C5B6FB4BFA4BA0D1B381068E81233AB1D376550399AF4E0D62C803
Malicious:	false
Preview:	.........$D.e.F...h.J...i.[...j.g...k.v...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.............#.....+.....3.....;.....B.....I.....P.....Q.....R.....T.....q.............................N.......................0.......................a.............................d...........M...........U.....x................n...........9...........+.....g.....Z..................................\|...........X...........9.....^.................@.....m.....q.....k...........:...........M.....z...........;.......................\|.................7...........<.....u...........@.................?...........B.....}..................................._.......................0...........\|...........1.......................q.............................).................. ....K!.....!....."....."....."....##....5#.....#....d$.....$.....$.....%.....&.....&.....&.....'....?(.....(.....(.....).....*....8+.....+....6,.....,.....,.....-.....-..........C.....\.....4/...../....Q0

C:\Program Files (x86)\Fast!\nwjs\locales\ru.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	563868
Entropy (8bit):	5.811666883187016
Encrypted:	false
SSDEEP:	12288:4pbEf/qsokgDV+yHih+BD5yTlcLzTlXLPxt9+:+Ef/qsy+yND5fL9ltU
MD5:	66268D564F98800BA9089E18FB6FADAB
SHA1:	9EC5E96E9387EEA89FF80CF9830941AC5FA39B5D
SHA-256:	5608658D3C119F72B3FF286E5242958ACA3B52A49B3A11E1E8E0814A80A816C3
SHA-512:	E912049C309E2A50D4FECEFC84D8C7A3C8FF16D1783AE50FDF4A21DF77BEE78287FE46D41D915AA79330252B1453FF73B32E21FAFAD4BBE4A002A647BACC73D1
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.&...v.;...w.H...y.N...z.]...\|.c...}.u.....}...............................................................................................K.................O...................................m.................X.......................w.......................r.........................................}...........I.....l...........c.................).......................m...........'.....>...........c.................1.............................{.......................t.........................................K.......................`.......................q.................2.................>.....Q...........k................. .....n.......................R.....n.................M.................%.......................g.......................k...................................8.....R.........................................0.....Q...........".....Q.....e.................6.....J...........A.......

C:\Program Files (x86)\Fast!\nwjs\locales\sk.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	541701
Entropy (8bit):	5.482723097852039
Encrypted:	false
SSDEEP:	12288:9b6vo8B2XKjcELn5C+cyJHjgMi/fzXlqc:9+voROLn5C+c4i/fzX7
MD5:	1DA905D46439A65753AAAC5E0B24CA3D
SHA1:	89D9B714965B5E0275E9FED8AA1191B6E598F7A3
SHA-256:	9EA136F6A894EB265D82BE30636989977311440B9B88281502BE78B3F853433A
SHA-512:	FD5D59FA0975A565083183625D496AD3D4E82361CFFA9A63DD92FC3213A49FE44FAEF778C88643F8DCFDEE900893EF739DF94C378232ADB18E4F68538E6F8036
Malicious:	false
Preview:	.........$..e.p...h.t...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...\|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.....\|.............................Q...........3.....L...........".....S.....d...........p.................D.......................I.......................;.......................M...................................8.....Y...........7.....q.................[.................'...................................b.................7.....N.....f.................;.....K.................0.....C...........&.....b.....v...........=.....p.................g.......................y.......................}.................,.......................P.......................8......................./.......................V.................)...............................................*.................:.....R.......................'...........\.................[.......................W.......................I.............

C:\Program Files (x86)\Fast!\nwjs\locales\sl.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	831714
Entropy (8bit):	4.786121688044425
Encrypted:	false
SSDEEP:	12288:EW7T2A7Ey2LYheWId1OShdEudPNRaIA1ID5f01KxVxz8/8W37ZjejM/k/u:EWHDS8mD5lxLS
MD5:	049129712BD8F949525470590E78FD55
SHA1:	E4E8CEE1D2B3907BE2F87982D5746748E7631B6D
SHA-256:	9E5FE2354ED58CDBC1EC6251FEED967643B6E251CD05B83EA05C87A958A29937
SHA-512:	11F3C9CBB29CF798D570A2546133A7888277A2B9D6DAADF2225CCFF0681F2976A2A7E334AE52246DBFB48D1EEBB4CA9312B45965269C022D854C145C2241D4B7
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.(...t.1...v.F...w.S...y.Y...z.h...\|.n...}.....................................................................................0.....e.....R.............................,...................................I..... ...........:.....o.........................................Z.....q.....C...........2.....m.....m.....+.......................S.......................3.......................W.........................................\.................%................d.........................................<.................o...........D.....e...........~.............................C.....d...............................................% ..... ....+!....c!.....!....".....".....".....#.....#....L$.....$.....$.....%.....&....y&.....&....l'.....'.....(....>(.....).....).....)..............m+.....+.....,.....-.....-....q...........}/....'0.....0.....0.....1....&2....y2.....2....$3.....3.....3.....3.....4....c5.....5

C:\Program Files (x86)\Fast!\nwjs\locales\sr.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	488477
Entropy (8bit):	5.539514294311883
Encrypted:	false
SSDEEP:	6144:gyxFxoU7x5t18Owzfn/lAFKxwucsX9n4RFcnqS83G6iMZSOwDE/xWcqVJ5iJu5Cp:gyxrgxzCFfI5j5Cxv
MD5:	CA76995C98ABCF4B3CCB278E17BE90B4
SHA1:	33B67943BB2FCA6179C25188A9AC65C77A0BF405
SHA-256:	84CD72BEA2768AE658E8CB625EC042CECC221E2B4CB028B44979B5E4F603C88D
SHA-512:	4104625E8ED872FA900ACD5DCE242AD368116A7B663451DA7586CE7C172652F37AA3A4D1EBB08460998795215539CE19FACD3C21169585E3B72AB60725D4B5F5
Malicious:	false
Preview:	.........$..e.@...h.D...i.U...j.a...k.p...l.{...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................%.....-.....5.....<.....C.....J.....K.....L.....N....._.....q.........................................e...................................n.................W.......................b.......................a.........................................X.................0.......................(.................D.....T...........P.................L...........:.....Y.....................................................c.......................W.......................d.......................Y.......................I.......................@.......................K.......................`.......................9.............................Z.....{.................e.................0.............................w.......................m.................8...................................U.....{...........G.....w.................$.....B.....P.................=.

C:\Program Files (x86)\Fast!\nwjs\locales\sv.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	513900
Entropy (8bit):	5.344746054879102
Encrypted:	false
SSDEEP:	12288:cpIXyATLXIuOcoW5ruCERdSUrbQBDFY6DDJ8cZgL6529b9uyO6IKPe/Br2tfj:ccyZo5S3
MD5:	556EB2D19EF88DEAB234ACC582CD59D8
SHA1:	21E5866D6DEC80D7A7299D7D79A14C5EA0C099E4
SHA-256:	F37FB8280F36C1188EB52B20E87321FC90ADF667EAEECBA99D7987836DE26892
SHA-512:	4C5BA5F782DBE58649FBC12E23997F2F6C2BAE702A429214597CC063918926322945C7194758AF3A88C50D2CB9A2C8CCD323355040A77B2B538CA5AA0312402F
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...\|.P...}.b.....j.....o.....w.............................................................................u...........D.....Z...........).....h.....z...........m.................2.......................$.....w.......................\.......................f.................H.................,.................8.....H.......................<.................=.....Q...........`.................3.............................Q.....t.....}.................=.....I...........,.....w.................6.....j.....\|...........@.....}.................0....._.....l...........&....._.....h...........L.......................^.......................h.................*.....z.................F.......................x.......................S.......................a.................#.................u.................k.................T.........................................,.................[.

C:\Program Files (x86)\Fast!\nwjs\locales\sw.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1320500
Entropy (8bit):	4.062774531809682
Encrypted:	false
SSDEEP:	6144:BTvvMOEEaXdfBdmXzhqK5xzotR1cA25tm1vYpiMyk:xMb1BOsK5xzccA25tm1vYpiMyk
MD5:	2183EF7EB74F136CD972AEED9FB378CB
SHA1:	B63653C504420EF6FEF72C5D5D6E91D9AF9F4D3E
SHA-256:	B8C4187C5A096FC5F52E39CEA6561E280387EDFB8C3AF31A8880AE4D282FAC6F
SHA-512:	1A1958694555836535CCC1C57F8A0A766A361DEA730FE2713ECF20B0090E74D4E3DAA8456E39ED17E75E939025298BAD422377A5FE2B1A4836AF196F8533A1FC
Malicious:	false
Preview:	.........$..e.j...h.n...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z."...\|.(...}.:.....B.....G.....O.....W....._.....f.....m.....t.....u.....v.....{.......................x...........s.....9.....b.............................f.......................-.....c...........1.....2.....%.........................................P.....T...........?.............................<.....R...........8.....y...........D.....u.......................M............ .....!....V!....Y"...."#....v#.....#.....$.....%.....%....%&.....'.....'....C(....w(.....).....*....>+.....+.....,....r-.....-....%....../...../....q0.....0.....1.....2.....3....43.....4.....5.....5.....5....'7....x8....T9.....9.....:....{;.....;....,<.....=.....=....3>.....>....Y?....B@.....A....ZA.....B.....C.....D.....D....qE....7F.....F.....F.....H.....I.....I.....I....iK....\|L....]M.....M.....O.....Q.....R....0S.....T.....U....NV.....V.....X....TY.....Z....eZ....i[....V\.....\.....]....H^....w_.....`

C:\Program Files (x86)\Fast!\nwjs\locales\ta.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1219707
Entropy (8bit):	4.317060924736985
Encrypted:	false
SSDEEP:	12288:UNne1V7McKNpCrWtFwd49+6gb0tQWp5Bi3p1FwPOiTlC2pCgmNFqPZrO0oXAogQN:UNnsM1o5fMB6
MD5:	ADBA9A9C6507AB74F757B72892EE33B7
SHA1:	AB9E424C2300A4E81DDB041F2FA1B14F3855E157
SHA-256:	B1DB19096C91EC4B496BBA41115C0B98DAA64EA0EB2834DDA3ADAC66F3AB8C29
SHA-512:	85A273758EDED695004DDB7926CC0A1AE9604A51EAD202152F2C3DABC96A2FDB780C458BC4AF244BBCC792877901716573262879B2E8A524A015B00A17BA2AAB
Malicious:	false
Preview:	.........$\|.e.....h.....i.....j.....k.....l.....n."...o.'...p.4...q.:...r.F...s.W...t.`...v.u...w.....y.....z.....\|.....}.........................................................................'.....[........................................._.....Q...........:.............................<.....U.........../.......................B.....Q.....!.............................5.................B...........n.......................o.................2.....u.......................G...........-...... ....g ....R!....."....W".....".....#....z$.....$....&%....:&.....&....j'.....'.....(.....)....v..........+.....,....X-.....-.........../.....0....H0....g1....72.....2.....2.....4.....4....b5.....5.....7.....7.....8.....8.....9.....:.....:....);.....;.....<.....<.....<.....=....p>....1?....i?.....@.....A....PB.....B.....C.....D.....D....JE.....F....hG.....G....9H.....I....<J.....J.....K.....L.....N.....O.....O....tQ.....R....8S.....S.....T.....U.....V.....V.....W.....X.....Y....IY.....Z.....[....L\

C:\Program Files (x86)\Fast!\nwjs\locales\te.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1025905
Entropy (8bit):	4.362277360600447
Encrypted:	false
SSDEEP:	12288:SrS1N9LyZYACTBz1L/LLXPX9s0nIJZgv1V5UBu7L3fBj8BlzEdq3Ro9AGdI9uLAJ:+ou5555
MD5:	E7A2587CD69D383FA3AB0B5A99AE5287
SHA1:	994FBBDA5410D55458F01EE5C6007C8BFB755BBA
SHA-256:	73096FA2EB7575FE9702228BA87090872CFE7E8C89CDFD823294ED03DB5EDEF9
SHA-512:	698E97F34CCCD6743086A27FF13043B72912804A16364F0EDB5DEFB06151AD179ABA344884A10965A418858BE3A2E7747ECB6ED80476F882A7D3E962FF56869B
Malicious:	false
Preview:	.........#c.e.....h.....i.....j.....k.....l.4...o.<...p.I...q.O...r.[...s.l...t.u...v.....w.....y.....z.....\|.....}...............................................................................9.....c...............................................>.............................F.......................;.........................................8.......................w...........`.....W...........h.................0.......................D.......................R.................$.............................................................................v.......................~...................................6.................#.....J............ ..... .....!.....!.....".....#....#....D$....A%.....&....-&.....&....l'.....'.....'.....(....()....q).....)....F.....*....-+....]+....},....2-.....-....8...........M/...../...../.....0.....1....r1.....1.....2....)3.....3.....3.....4.....5....z6.....6.....7.....8.....9.....:.....:.....;....&<....V<.....=.....=.....=.....>....'?.....?.....@

C:\Program Files (x86)\Fast!\nwjs\locales\th.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	524677
Entropy (8bit):	5.617230451618925
Encrypted:	false
SSDEEP:	6144:yoQUxBiHzpR9GcvONqVRgrWBguZSz+iCqQJoCN+HG4ngeJ5wB/R+bi1SGedTAM3Z:UUxBQ1zBEq0yG50qHGA5wB/c
MD5:	B00E05AE3EBAA5A315872F24BE2DDB6F
SHA1:	141160CD3B6A4CEDC2685F347A42FB89ADDE031A
SHA-256:	5AD03FAD2C79731396385A5C3EABFA991BB257886935EE015307931C3C58DFF5
SHA-512:	A6B6546B14EFE3759CE0A38329F3B5FBE13A73D73E3FD681A9281C0C505B579FA07CFAB5C50E4AE6076257F82F67ACC54CB0B9816ABAA890CA7B3F994E8436C2
Malicious:	false
Preview:	.........$h.e.....h.....i.....j.....k.,...l.7...n.?...o.D...p.Q...q.W...r.c...s.t...t.}...v.....w.....y.....z.....\|.....}.........................................................................".....8.....M.....g.............................i...................................^.....y...........:.....u.................1.....X.....g.................J.....\...........,.....^.................s.................8.......................7.......................D...................................G....._.................I.....e...........$.....S.....d........... .....N.....^...........).....`.....m...........<.....s.................E.....w.................@.....p.....\|...........A.....u...................................Y.......................Z.......................:.......................M.......................k.......................R.......................j.............................h.............................<.....`...........f................./.......................F.............

C:\Program Files (x86)\Fast!\nwjs\locales\tr.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	891860
Entropy (8bit):	4.887779263943541
Encrypted:	false
SSDEEP:	12288:xGft5on20SlRfnqz/T0hNai4IEE52B3IjQAMXES/OuOLNiXEqqbLIyz+4uL2uoU:xG15onQSs5YEG
MD5:	06133217E0FC480E2F43F74AA132EDD7
SHA1:	EB422C32A18A8770CDD4D019B85046A315A6C8CD
SHA-256:	2BB2C2E67CE4F62435FCBB4B3D96253AD5F6065BBD4729CFD44E226B965A7984
SHA-512:	5311CE90877EEB64F05BA039839424B676F67280783A66CC041E388CFC81371B8D779C11CF9901A6B92678C64A3D71945BA4CCD29599E164E4AC1896EE132C97
Malicious:	false
Preview:	........`$..e.....h.....i.....j.....k....l.5...n.=...o.B...p.O...q.U...r.a...s.r...t.{...v.....w.....y.....z.....\|.....}.........................................................................(.....A.....k.................T.......................M.......................[.......................v...........%...........H.................f...........R.....g.....#.................H.....5...........w...........e..........._...........-...........!.....B................. .....M.....<.......................P.............................(.....h.........................................4.................R...........,.....G...........X.................J................./...........B.......................p...........;...........M.................& ..... ..... ..... .....!....+".....".....".....#....h$.....$....W%.....%....X&.....&.....&....`'.....'....$(....Q(....().....).........Z*....L+.... ,.....,.....,.....-.........../....U/.....0.....0.....0.....1.....1.....2....Q2....n2....B3.....3....^4

C:\Program Files (x86)\Fast!\nwjs\locales\uk.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	778961
Entropy (8bit):	5.172607429771382
Encrypted:	false
SSDEEP:	12288:JaRqEcN0s8PGmuDltyfHeMK5AQDPEFfWaKxNQYriwadcJKwUUuvco/9NjjFpv0h:Iiwk5qWj
MD5:	99169B41D0BD7F9AC47C88F99E33D521
SHA1:	FD8AAEF710593F22E969EFB3FF25556F1BCD3E5E
SHA-256:	95325A5FC4D46B5BB197751BDEAA600A1A64B55DB798016A853250D9256301B7
SHA-512:	41EFF393E31EBE62B23F18184D19FFE9C79A71C29EFF84CDC289293F529C10D016C19CD948ED39E9336A9CA0E0C2A72FF986D29D1A1969DDF5D98888B3669F81
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.'...w.4...y.:...z.I...\|.O...}.a.....i.....n.....v.....~...................................................................................5.....\.................(.....L.....+...........g...........O...........V.....z.........................................T.....w...................................V.......................0.................Q...........M.....j.....=...........w.................H.................\|...........&.....N...........9.....v...................................y...........M.....k.........................................S.....o...........k.................V...........$.....@.................-.....X...........h.................^.............................! ....g ..... ....O!.....!....K".....".....#.....#.....#.....#.....$.... %....r%.....%....j&.....&....d'.....'....e(.....).....).....).....*....Q+.....+.....,.....,....q-.....-................./....W/...../....)0.....0.....1

C:\Program Files (x86)\Fast!\nwjs\locales\ur.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	620353
Entropy (8bit):	5.7924630369242625
Encrypted:	false
SSDEEP:	12288:Ac+gw3uUg+cnwJTroEw/aB1INgsHkL0eetDfL9v2J5WZ8h67InkiNwziMHQQwti4:Ac+gd+cnwJTiaQNgsHg0e4E5u8o7xiN3
MD5:	9626571ADD089F7010CFFF6B8C893EB5
SHA1:	1A933789FDE207BFF34CE255E7E7212F8FDF273B
SHA-256:	D351B4DAF943CE616D66F43A36FDFB390CBF19DF7E729B9D499AF3B16D34C170
SHA-512:	C64A41FC359C3CB4D14C14E274FD7FD4B92BE6A7656374B136EB52C7238334F1CAD4F3363A84A9169A84F71A7E4AABF8B1A25D216D5B1D351FF79C4A8FEC7192
Malicious:	false
Preview:	........]$..e.....h.....i.....j.....k.-...l.8...n.@...o.E...p.R...q.X...r.d...s.u...t.~...v.....w.....y.....z.....\|.....}...............................................................................-.....V.....u.....-...........K.....g...........{....................... .................5.......................p.......................e.............................6.................s.......................?.............................-.....y...........5.................B.......................".......................<.................F.....W...........7.....s...................................L.......................a.......................v...................................9.....K.........................................E.....d...........9.....c...........Z.................Y...........U...................................m.................:...........4.................S...........i ....} ....B!.....!....@"....z"....."....c#.....#.....#.....$.....$.....$.....$....i%.....%....Q&....r&

C:\Program Files (x86)\Fast!\nwjs\locales\vi.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	449776
Entropy (8bit):	6.685457449005063
Encrypted:	false
SSDEEP:	6144:P1sG8CyOdnkDKzAIa0g7H56+LxCkGDo58WhNyht8g7Lcln:PCGRyOdk2zVad56+LxWo5DhNyht8gM
MD5:	968FC657ACB577D184EA0A716AE5B19F
SHA1:	ED37D428610D950A5897D9B282A75FD537F178CA
SHA-256:	3F774B33B01F86493E7EF1EDEFABC7CF49B58981358438979F32106557C849A6
SHA-512:	859083FDF742AC3B3666AA667F4DA228999C988A2AFF23C158735345996C98CA302F0FBFD1190109D9969F45DA150C79240ED93A8ABB926946B899633BF07383
Malicious:	false
Preview:	......../$..e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.$...}.6.....>.....F.....Q.....Y.....h.....m.....u.....\|...............................................@.......................q.......................o.......................z.................0.....~.......................V.......................5.......................5.......................Q.......................B.......................(......................./.......................2.....u.......................<.....b.....n.................!.....0.................8.....J.......................$.....}.......................b.......................:.......................=.......................N.......................%.....s.......................f.......................I.....}.................,.....F.....R.................4.....F.................=.....]...........F.......................l.......................i.......................1.....O....._.................?.....Q.......

C:\Program Files (x86)\Fast!\nwjs\locales\zh-CN.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	447533
Entropy (8bit):	6.693705796563921
Encrypted:	false
SSDEEP:	6144:dQezZRtkOt3+JmCEW2RuWgehW25LYIz17fxAy0j7zylk6T7:FzZ8OtAEgehW25LYIzVXm7sv
MD5:	756E8E06E626755BBE8E555816729F82
SHA1:	74553DFBE30832B1522E7C7FB0ADCA9E2713D710
SHA-256:	F397B495DB8F47789774FEB5B8A2FE9970DE2E9F22D280FA508D8602FD1DD4DA
SHA-512:	543F9B6C646D6E10A9AAF22CDAEEF2555182481E6A2E292B66DD5FB9F13AAFD67B4FAA2A70DEA1717936482F43FCACEDF1096E0EF6FDA8240A3E93F7F47B85CF
Malicious:	false
Preview:	.........$=.e.T...h.X...i.i...j.m...k.\|...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.............$.....,.....4.....;.....B.....I.....K.....P.....Y.....e.....t.................s.......................k.......................`.......................].......................J.....s.......................<.....I.......................9.................%.....:.......................(.....{.......................j...................................(.....:.............................8.............................O.....r.................).....R.....^................./.....;.......................*.....\|.......................T.......................E.......................;.............................G.....a.................E.....W.................5.....X.............................Y.......................D.......................M...................................$.....9.......................$.....d.............................q.......................c.

C:\Program Files (x86)\Fast!\nwjs\locales\zh-TW.pak.info

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1002118
Entropy (8bit):	5.421493602926462
Encrypted:	false
SSDEEP:	12288:HPwCbHEzqTGHhxK7gCBYVExtHnOwkxwkYOjTlz4:vOjTG
MD5:	E3BEB49BA64CB7A3AF04BE34B2FB2FF4
SHA1:	DDC36967B80FF1062461BF0B691736A9F8F3D57A
SHA-256:	E957CDE29B8732CC46E61C98629CBBFAA23333776AE5DB166A2B2169799C8290
SHA-512:	9DBC8F89809926E8B19609018F6C82BF9411A8C9690C6EBBCC93F2BFCADD194C27A8220AD581FC60D168AA06AE3D35072BB298A9619E4D6A8664EC6AF6A49FDC
Malicious:	false
Preview:	IDS_ACCESS_CODE_CAST_ACCESS_CODE_MESSAGE,1400,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_BACK,1401,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CAST,1402,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_CONNECT,1403,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_DIALOG_TITLE,1404,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ENTER_CHARACTER,1405,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_ACCESS_CODE,1406,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_DIFFERENT_NETWORK,1407,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_NETWORK,1408,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_PERMISSION,1409,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_ERROR_TOO_MANY_REQUESTS,1410,../../chrome/app\access_code_cast_strings.grdp..IDS_ACCESS_CODE_CAST_E

C:\Program Files (x86)\Fast!\nwjs\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	218275
Entropy (8bit):	5.34737925007636
Encrypted:	false
SSDEEP:	3072:uUKt1rxNpyXcsR/H/UxRjh7uHRcdA4SSSLl/sL8:uUKvrxNpyXcsRf/UxRjhwcdAuY
MD5:	100F66BE85612F7DD095E0F468497F68
SHA1:	6D0B30428726D079AF3DEB3279033C268733DC22
SHA-256:	E8472A5C9291C2B46B7BE611EC994D5E37ED9EC1B473E50DFC9A94C9A923CEC2
SHA-512:	841A90B6B54FEAF47973990882D9A274B4E9F8E850E21A2B94A41B8FFD501969C77003C19B961D180CB2A0062B7E32A5AA6514FB34ABE8F1BA818795A2B91FBD
Malicious:	false
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f=a.Map.prototype.entries;.var g=(new a.Map).entries().next;.var h=(new a.Set).values().next;.var i=a.Set.prototype.values;.var j={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.function MakeMirror(k){.var l;.if((k===(void 0))){.l=new UndefinedMirror();.}else if((k===null)){.l=new NullMirror();.}else if((typeof(k)==='boolean')){.l=new BooleanMirror(k);.}else if((typeof(k)==='number')){.l=new NumberMirror(k);.}else if((typeof(k)==='string')){.l=new

C:\Program Files (x86)\Fast!\nwjs\node.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18201088
Entropy (8bit):	6.4932256115450375
Encrypted:	false
SSDEEP:	196608:OClFgvw8eWv14jYkndNx/YDB3vOz0hGxxC:OogvwjWN4LdNWDpvOz0EfC
MD5:	D75452669E917D4EB4701F8AAFFCC99F
SHA1:	2FC81479CA44F3D28B58E231C3798E06AA06AF23
SHA-256:	B77F8A9FFCB43FF98A7E8F44ADCB80D20D074FE2552F6DF753EDD711698B21F9
SHA-512:	4C3737F697DA8A0D80255AF1A515F2E5FA6BE27643FA7B24A51577F3D42CD9B636527B69E2C1947C0DC6D62504B6EC38BE0DF5AD1048584BB628E66443C4209F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Be.........." .........................................................?...........`.........................................x....#......,.....>......P8.Tn............>..t..\|...........................(.......8...........@................................text.............................. ..`.rdata.............................@..@.data...p<*.........................@....pdata..Tn...P8..p..................@..@.00cfg..0.....<......D..............@..@.gxfg.........<......F..............@..@.retplne......=......6...................tls....a.....=......8..............@....voltbl.......=......:.................._RDATA........=......<..............@..@.rsrc.........>......>..............@..@.reloc...t....>..v...D..............@..B........................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\nw.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208823296
Entropy (8bit):	6.697368222848026
Encrypted:	false
SSDEEP:	1572864:UtAt+kI758sDa3FD2Ps+hvUzVxi2c0ewtV4DZEFJpHNZZu4XgAijI2Mf3vW4Rl:ArS5VeZwMlw3zl
MD5:	E364CDA0087825F70EF0332E2BE65379
SHA1:	BA9FC41CDDCCB576F022D34C003E86736EF5BF62
SHA-256:	F924FEB13C23A57529054107D2412F16EDF8A31DAC7E8AA6E36EAF86C6A47A7D
SHA-512:	C471264CDCFBB0AB7BE89DA58498C2BA86184917B623C262581212654B0D6549663212A148A5A92FE1342201FD4E9B77CD0478ABE013FA817A0BDC7A9EEF4280
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." ......E...,.......?...................................................`A............................................C.#....\|....0l.`.... ...._...........q..1.. O..8...................0H..(.....8.8...................]..`....................text.....E.......E................. ..`.rdata...a....E..b....E.............@..@.data...P. ..@......................@....pdata...._.. ...._.................@..@.00cfg..0....0k......(V.............@..@.gxfg....C...@k..D...*V.............@..@.retplne......k......nV..................rodata.......k......pV............. ..`.tls....Q.....k.......V.............@....voltbl.v.....k.......V.................CPADinfo8.....k.......V.............@...LZMADEC.......k.......V............. ..`_RDATA........l.......V.............@..@malloc_h0.... l.......V............. ..`.rsrc...`....0l.......V.............@..@.reloc...1....q.

C:\Program Files (x86)\Fast!\nwjs\nw.exe

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2337112
Entropy (8bit):	6.448273621618817
Encrypted:	false
SSDEEP:	49152:9W3aFEhyflDCQ6n85K353JCJ9f98Tplhpgh:owrGjG8Tpmh
MD5:	D6644E8A0C3C48607EC424BAE0FEB47E
SHA1:	C041EFB63894032BE1B8E517B8CBB45454CCF330
SHA-256:	221027FD7E324A31614FDA2DAC69E3B9AF082895FF7C45B6C19D42AA27592DA3
SHA-512:	D689575C7F1430BF0B92AAF50A757F7C9E3DD5E8AF71DACF0911EA484DB79460369455F91B2F480B0F224FE7D0C0199AFD9DB98B65FBA3F3BC3FF430838C5C04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........."......8...>......p..........@..............................$.......#...`..........................................e......Rf..d.......2.......(.....#.X)...P$.. ...>..8...................p=..(.......8............n..`....V..`....................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........@...D... ..............@....pdata..(............d..............@..@.00cfg..0............T..............@..@.gxfg...P........0...V..............@..@.retplne..... ...........................tls.........0......................@....voltbl.D....@..........................CPADinfo8....P......................@..._RDATA.......`......................@..@malloc_h0....p...................... ..`.rsrc...2...........................@..@.reloc... ...P$.."...^#.............@..B........................................................

C:\Program Files (x86)\Fast!\nwjs\nw_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	682477
Entropy (8bit):	7.963912396307454
Encrypted:	false
SSDEEP:	12288:7PI3H1fJKjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNz10Vc+gIXsbXoO0TehEr2:83VBK7zEEmPLSOdNz105gUyXoO0TO5
MD5:	93D58EFB8C31214A57515A2AE1D2FD30
SHA1:	64DB5C74C4FD45BF77E33425C1D1E844D245C535
SHA-256:	835E6B02123D59FC73D43F8286ED77E8B7C3963D739C45B81D3AE8E59E60BFC7
SHA-512:	435C4F5404D7EF4402E7A91ED7C8FB486C361B0BA39F09E066BEB3FFE1EE4FDFB2AB28F994494232A781F19696649646AD2A54499F8B6D10C34F823AD319CC1F
Malicious:	false
Preview:	..........K...........................<..........;.....;d....;....;8....;.....;.....;d....;....;"....;.....;....;5....;.....;....;J....;.....;.....;F....;.....;y....;.....;....;-....;K....;.....;.....;.....;.....;!....;.....;.....;.....;.....;.....;i....;1....;.....;.....;.....;,....;.....;.....;a....;.....;q....;.....;k....;.....;.....;L ...;.)...;.2...;.F...;.Z...;.[...;)]...;._...;.b...;Pe...;=n...;.u...;.z...;.....;B....;....;....;....;0....;.....;....;[....;J....;p....;.....;.....;.....;y....;.....;.....;.....;P....;4....;.....;.!...;G)...;.....;@7...;.8...;mV...;.o...;U....;.....;....;.....;.....;B....;M....;.....;.V...;fk...; ....;....;.....;....;q....;J....<.....<.....<_....<.....<x"...<.)...<%2...<Q:...<.?...<"K...<aU...<^Y...<.^...<)c...<.t...<.....<g....<.....<.....<.....<W....<Z....<.....<.....<K!...<.6...<.D...<.N...<.U.. <.\..!<.q.."<n...#<....)<....<....+<....,<h...;<....<<....=<\...><s...?<=...@<O...A<m...B<....C<*...D<....E<]...F<U...G<<...J<....K<....L<.#

C:\Program Files (x86)\Fast!\nwjs\nw_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1068808
Entropy (8bit):	7.952701382598292
Encrypted:	false
SSDEEP:	24576:k3zBH5zLmmibkFR8+mZRUumegvQt805Uwvd6Wvpbae6edhOLoP4:k3B53mNbkFRJmHURhQC05Jvd64jrOB
MD5:	7B96F3A7FF47C8E46BA847FCAAD26D33
SHA1:	F9B5A958E29CE039F03C775B889FC974B65481E2
SHA-256:	94AFE21E06F098CA7B7C3DC432355503536973D1C377B4D202AB64BCFDE5133A
SHA-512:	FD606264D1B7786A85C901D5A7B851D74F248903B66F0384E947A82E25655D8C8FC081D12BDD6136A366DC214FB15D39A86CDBCA540427BB3C60AECE268AFE3F
Malicious:	false
Preview:	..........L.........%...........v................;.....;:....;.....;&....;.....;.....;v....;....;L....;.....;!....;.....;....;P....;.....;.....;.....;....;C....;.....;;....;.....;.....;.....;x....;^....;.%...;.C...;.Y...;pn...;Kp...;.p...;<r...;.y...;Lz...;.\|...;.~...;O....;.....;R....;....;.....;\|....;.....;.....;\....;.....;.....;.....;k....;....;.....;.....;.&...;.(...;~...;.,...;.2...;S8...;.M...;.^...;sm...;)}...;.....;_....;....;.....;.....;.....;.....;.....;.....;.,...;.<...;VO...;8c...;.z...;a....;.....;.....;.....;.....;.....;b"...;.:...;.I...;.b...;.e...;.....;y....;.....;.....;.....;.....;.....;$,...;;H...;.Z...;.....;x....;>....;.....;1....;.....;.....;.....<.....<c%...<.:...<.F...<.P...<aW...<._...<.h...<mm...<.x...<?....<.....<.....<....<~....<.....<L....<.A...<.b...<h....<.....<W....<`....<.....<.6...<.d...<.....<f....<.... <...!<t..."<;D..#<.D..)<1F..<.h..+<...,<?...;<....<<....=<5...><...?</...@<....A<....B<m...C<>...D<{...E<.D..F<.H..G<.N..J<.V..K<.c..L<.p

C:\Program Files (x86)\Fast!\nwjs\nw_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1131520
Entropy (8bit):	6.536561027180539
Encrypted:	false
SSDEEP:	12288:KVQ+6Nq2vF73pppDh8oLG9UTlcPwaKD1CK+D3SJ3NVTRmcIMI+nk/owl+GlBfG:KVQDNqyB7zLG9qD1CrDQHNmcMzl+6l
MD5:	7509D69C2896E7B903398DA350B42C8A
SHA1:	6BB535EA3728933A6AA9162950CFC44328E4D347
SHA-256:	BBAF4E0D60D4362E23671301E9ABA75252B1059CD6E1DCF6AD0ACCEC5E115152
SHA-512:	438CEFEC05E62904A8F2F304607EA4E9AB691793F8950EA2FF12B3740B5BF172F29EC40F17921D4DA8A09590BBA01889D81DA8315EA6585076C0B758D9E6A1BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." .....X...........,.......................................P............`A........................................c~..........<.... .. .......\|............0......ll..8...................@k..(...p...8...................x.......................text...MW.......X.................. ..`.rdata.......p.......\..............@..@.data...t....@...@..................@....pdata..\|............^..............@..@.00cfg..0....p......................@..@.crthunk............................@..@.gxfg... ,..........................@..@.retplne.................................tls................................@....voltbl.B...............................CPADinfo8...........................@..._RDATA............... ..............@..@malloc_h0............".............. ..`.rsrc... .... .......$..............@..@.reloc.......0.......,..............@..B................

C:\Program Files (x86)\Fast!\nwjs\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	4775861
Entropy (8bit):	7.994874833136889
Encrypted:	true
SSDEEP:	98304:KwNkpHyVBJvC85FhbtlvmZEroQRkx3DglVb9ftvoZEMTDEFkddpGh1f5G:y1yVvv9rBChobltvoZEMkFnhl4
MD5:	43735A475FA2486E49C34D1AD8F57DF5
SHA1:	2A987D18F63AC0E686BFBA8E992757BEB1D9F5CA
SHA-256:	4F10CA74584E91BE68D0FB50DB1F96F5D636CDE11F6770870F3C6C8D97C7D7D8
SHA-512:	60BBEB46A2AEE635B8FC676F5A17F32EC0DEFFE6362C6ED239AB5CF97CFAFBAB011BFAE37AC19C3DA0729E90CADCDDAFB8244C69176E08B83637C5350AF78D93
Malicious:	false
Preview:	........C...{..-..\|..-....V1....13................T..................^......................E.....G...........5.....r.......................i...........g.................;C.....C.....K.....W.....\.....b.....k....}o.....s.....{...;..../;4...2;m...7;....8;....C;....D;}"..E;32..F;.A..G;iQ..H;.`..I;.p..J;....K;....L;....M;....N;....O;....P;....Q;`...R;B...S;./..T;kL..U;.c..V;.\|..W;....X;...Y;....Z;l...[;....\;....];.....<.....<.....<.#...<U%...<.(...<.+...<!1...<.4...<.9...=RM...=.O...=.V...=.e...=8f...=.f...=eg...=.g...=<h...=.h...=.j...=#r...=.t...=.w...=.y...=.{...=q....=.....=q....=....=.....=.....=.....=.....=.....=....=.....=.....=.....=.....=T...0>....1>C...2>^...3>....4>q...5>....6>....7>....D>....E>....F>E....@.....@k....@4....@F....@.....@.....@.....@.....@....$E....%E....&E....'E....(EU...)E....*Eu#..+E!&..8E.'..9E.)..:E.+.._E.7..`ETA..aE.M..bE.Y..cE.c..dE.t..eE.w..fE.x..gE.{..hE.\|..iE....tE....uE....vE....~E:....E9....EJ....E.....Ek....EG....E.....E.....Ep....E.....E.....E..

C:\Program Files (x86)\Fast!\nwjs\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	1198536
Entropy (8bit):	6.0724872991141385
Encrypted:	false
SSDEEP:	12288:HbztrVZr3DoSHdbPOzwxxkNrBhw63E2Lf0Nyi6kJcMcOTN2I0vFi90o1:HbztX3DFA8orXF02Lf0NpJgU1mFi90o1
MD5:	1BD6EACB823E1A4C5F17516B45C85CE7
SHA1:	2693FB26D0ACEEA5001C6C8A4B5FE4B0C1735E33
SHA-256:	34F17BC88B07D6F0C205153E8C85629915EA93EBBF0F82E4C173E292BF3BDB08
SHA-512:	EC72E7E70EA361FFADE06E4324267243CC9907932A8797FCACBA1510745DA521F06365D3D6E48F8753AECAC51530F79D33EE6BADEDEDDE0980E7349E495C4348
Malicious:	false
Preview:	................v.C.....h........p..@....#...........,.,............. ....,8........... ............,8........... .9............o......o.$......o......:<................. .9......:<.......,8........... .9......:<.......,8........... .9......:<.........,8........... .9......:<.................,8........... .9......:<...............uninitialized.....................undefined...........,8........... .9......:<................d....,8..X........ .9......:<...............>........,8........... .9......:<.................=..6......hole....$.........>.....9...,8........... .9......:<..............?..=.:..$....true.......=...B ....boolean.........,...........=........false..................=.~j.........,:........... ..........<.........,:........... ........;.$.......,:........... ........;=.......,:....!...... ........;=.......,:.....H..... ........;=.........,:........... ........;=.......,:........... ........;=.......,:........... ........;=.......,:........... ........;=.......,:........

C:\Program Files (x86)\Fast!\nwjs\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.3572540880058
Encrypted:	false
SSDEEP:	1536:wB0bzVn8icEY9OkFwaMZsDV4AcVrvsoEX4vpTb/sW9cdS8h5TQ0y4oVPYT:wyt8pEiDV701vJaSKq4o1Y
MD5:	973BCAD92FB7B30AB5A7A2F35E2EEB24
SHA1:	594477D5FF4626B2CA72E485DFAF53CE8BDF497E
SHA-256:	750CBA685EE7B85E87D4843F3AD9C549CB22E6FF90247373823CDA16DB7E2141
SHA-512:	144C362423CE4D5C3F6A45FAB4E9DED409F06764E5497B5D03E67EB51C5860F38DDE631553D6EF6468C0FBDFAFA7B4B474C2AC913F57C6AEC81665BDA1375536
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................................E.......E.......@.......E.......Rich............................PE..L....,.Y.........."!................ti....... ............................................@..........................}..........P...............................\|... o..8....................o......Xo..@............ ..@............................text...p........................... ..`.rdata...i... ...j..................@..@.data................\|..............@....gfids..............................@..@.tls................................@....rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2013184
Entropy (8bit):	6.726531618207793
Encrypted:	false
SSDEEP:	49152:pIcO8JVs8rBf5ACKu43D6YMu+46+/imfywoMuF5P3Rv:pFO8JHBfIN3D6YF+ItywoZd
MD5:	1196BE50E7F9F56901865C0CFA76CA3E
SHA1:	5384443AB344DBBF558E0CFC155CBACE89121871
SHA-256:	2389E02AAB2A20D1067F4E6AC9D0E1961B99B64AA539A967842B3F60AF450365
SHA-512:	E9954D974E70F56E3FDAB4F1A3341F9A960E3D8BA4FFC26F26D1E0562F38E75FAF1627AF81E143E3DD25ABC780FFB4C37F339B6783637EA414B4AE485EB3D609
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........y...y...y...$..y...$.!y...$..y.......y...'..y...'..y...'..y...$..y...$..y...$...y...y..gy...'..y...'.,y...'...y...'?..y...'..y..Rich.y..................PE..L....,.Y.........."!.................6........................................#...........@.........................`z......D...d.....".......................".....p...8...............................@............................................text...Y........................... ..`.rdata..:...........................@..@.data...............................@....tls..........".....................@....gfids........".....................@..@.rsrc.........".....................@..@.reloc........".....................@..B................................................................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	647441
Entropy (8bit):	5.091753770132809
Encrypted:	false
SSDEEP:	6144:yuJR9fWrgHbhaM1IW0mh3pXWz3WUUML5DSlGkMeiWxDhU04jh1qH:BJH3swIsdWz39Uc52lGkHiWA04jh1C
MD5:	E59FAEDF525C663FDE4C6BCD3C77920A
SHA1:	6388193081D87AE3FA2FCD546790D2D9C4C4E006
SHA-256:	83A73E2B5A458B394ABA65A3F9ABA0FC1FBD9520D07858A2C1E8AB8CCDB5C7DA
SHA-512:	F65B02E0CD828F93B76E0DD8E68CAC1563102798B1FE820D801DD67ED3E02FC2902106C9E60E0DF96E11DDB3EABD2AC30DBF5D23D8F47085A755F299FAAC69FF
Malicious:	false
Preview:	.............b].11.9.169.6..........................................................YI..1\|..i)..Q...............a........a........a........ar.......a$.......a............m....m....n....n....o....o....p....p....q....q....r....r....s..(Jb...*L.....@..F^.5..9.`.....(Jb....P.....@..F^..`.....L...IDa........Db............D`.....1.D`.....D].-.D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L............................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4491776
Entropy (8bit):	6.299524374544543
Encrypted:	false
SSDEEP:	49152:KU82lTQcFMkjVGWalGA0GmK3jrmz5xbQ87uhvMxqyF2k2gwUIukCN/ET8CPhmQJF:u+TJXIfw05PhLJVS0Dy
MD5:	5A3011F59AD6ACEDA78A8F42BA7CFA1E
SHA1:	CE61A5ACAAFBF7464D9A26DB762F9F661E6E9AAC
SHA-256:	39612549C82C10B8A8E8072F2FAF17354D8CCCD3EEBA1D5FDA9C50FF547FFE5D
SHA-512:	16E9CBBA44FB14E0E27FC872DE51E501DFFE79CC39B3386BCEC28F6DB874CB84606848E5C1E67322486FE29960DBD514FBF505AF8C94CCCD54126AB873A33AA7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." ......3..........U0......................................@F...........`A..........................................?.~...~.?.P.....E......pC.p.............E.0...tu?.8...................Xt?.(....k>.8........... .?.P............................text.....3.......3................. ..`.rdata..\.....3.......3.............@..@.data.........@.......@.............@....pdata..p....pC......&B.............@..@.00cfg..0.... E.......C.............@..@.gxfg....,...0E.......C.............@..@.retplne.....`E.......C..................tls....V....pE.......C.............@....voltbl.8.....E.......C................._RDATA........E.......D.............@..@.rsrc.........E.......D.............@..@.reloc..0.....E.......D.............@..B........................................................................................................................................

C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:	3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Program Files (x86)\Fast!\nwjs\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	913408
Entropy (8bit):	6.578192683971118
Encrypted:	false
SSDEEP:	24576:VkLGO/wBlPes+ERBTmqQRw6Z5WdDYsH26g3P0zAk7JeAy0:SLGQwBlOEDTVUw6Z5WdDYsH26g3P0zAC
MD5:	2DB0026C9329B1FAF58971CF1AC51A6C
SHA1:	E7E043AD9FEB2086B4EAD78A661C376DE596E4D3
SHA-256:	E471E4E0A5635D2E5F6E1E5778016D0E5E169BC61AA32E5D380EBCD2502FC103
SHA-512:	AD1E66450CCBF49BBAF7632BB7B9C201D2BB0E53CF2594DACFDA439545BB07AA2A085D188654E8E057D3AE0C1D682D3523942D9492D3C1F2D74BCE8BF378D7E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...P0Wd.........." ................`(....................................................`A.........................................p..<!..$...P....p.......p...q..............D....S..8....................R..(.......8...........p................................text...s........................... ..`.rdata....... ......................@..@.data...,M... ... ..................@....pdata...q...p...r...2..............@..@.00cfg..0...........................@..@.gxfg...P).......*..................@..@.retplne.....0...........................tls.........@......................@....voltbl.8....P.........................._RDATA.......`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................

C:\Program Files (x86)\Fast!\ui\css\opensans.css

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	5.223532960977299
Encrypted:	false
SSDEEP:	24:L286KGb28HL/RK28Y28vm1y28tJ28pf5pG28swy9IDi:68NGK8rZt8f8SV8C8pf5n8sNOW
MD5:	EDAB2AD532D5A2E8736176A0D455B1BD
SHA1:	10C0BA9E3D9A8196A6852F9A264CA378D0961099
SHA-256:	AEAC4EF506D8ECDA071169649D3A9D46344E8EEC246BA1C716499E9FAB05F7E4
SHA-512:	3C059E4BD497C22AD7DD586ED5252C091BC63753BCE2065D566C94C5B7F2BEBE5F858D2FC812052926F69F5465AEAC9389917EDDEDF1B7D0BFE5D82808DA9158
Malicious:	false
Preview:	/* cyrillic-ext /..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans1.woff2) format('woff2');.. unicode-range: U+0460-052F, U+20B4, U+2DE0-2DFF, U+A640-A69F;..}../ cyrillic /..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans2.woff2) format('woff2');.. unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;..}../ greek-ext /..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans3.woff2) format('woff2');.. unicode-range: U+1F00-1FFF;..}../ greek /..@font-face {.. font-family: 'Open Sans';.. font-style: normal;.. font-weight: 400;.. src: local('Open Sans'), local('OpenSans'), url(opensans4.woff2) format('woff2');.. unicode-range: U+0370-03FF;..}../ vietnamese */..@font-face {.. font-fam

C:\Program Files (x86)\Fast!\ui\css\opensans1.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 16868, version 1.6554
Category:	dropped
Size (bytes):	16868
Entropy (8bit):	7.9880541218783945
Encrypted:	false
SSDEEP:	384:AF92jnHaPlexnHnbJg3txyB4pRvbSJsLJKJFZ9n:c92bHsWJmg47D2stAvd
MD5:	4B60E71334D025BE8BD843ACC59753E1
SHA1:	E0350190D720A8FEC0557AB47B318EC4E4486448
SHA-256:	CDD6F09441727E4AC6FA370E2B8221EE3C2892265CB618AFA35643CBDD5B7617
SHA-512:	B7ED2906BEAE601AAAF9249BE565C1F6A6F29FD9D2C36F7C8338AAD97B4ADD5CD8F7023F8EB5491A660E252021BD247B8C65564F2D2C1AC17B7972D754A568AB
Malicious:	false
Preview:	wOF2......A...........A..........................".....`....."..4.....T..D.6.$..p..<.. ..2..J....:r5l......p._.h$B.820.kGE.q.(..d..9.r...<.jY........foL.%.S)tl....K..d.K.U...O3.{...2.Gs...Z.5.Db.@g..)."....T$..c.?.7.Z...M..../..c..q....'fZ...q..2..8.3.n..i..~~.3..&5.}.7.w..$....t,.......~.&.L5.{f.?.lh..37......fbb.z..g.TLT...&..q.....E?.#y...v..}o?5.L..q.d.%.j Q...:.....&uV..Zq.-.8a.E../.oF.X..4T.s..E.E.....jw..H..?.L/.!K.....).#].L....6<.}.e.[2.RW....n.e....=..W..A......yY}..TE..U%...8...:+.v.}C\|.PQG`.&..V~..].Yh..$y`...F..r..Bb.......I..t....7.FM.Q...v.-...Xc.;..D.6.{.L.\...:..._..{.HH.8X.\t....Y..[(...^......I.....dJ....9J..r...\t..K..g.....(@T.u...;..{......t..O}....B......:...s.s.(..K[.....wI.8....~9z........ .n .?I.xXv.L.`.)...2t....Ru. .t8.D.....q.....7.!.....$...F....5.5]....."...\| ..xU)......{.~..~..y......a..!.iU.H.W1.....Q.8...&...Z..d S.VjUA...&.....#....l ..,.@SB$.d@..W../...A.....la..d\........S.f.[0..u.U7...ST/...W?.]1.@..6.P..

C:\Program Files (x86)\Fast!\ui\css\opensans2.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 9676, version 1.6554
Category:	dropped
Size (bytes):	9676
Entropy (8bit):	7.974841909039616
Encrypted:	false
SSDEEP:	192:pvu6iax1W+gxgsnpb2Ds8gS78nB9fxoA3sp5XdWpQS2Jm6P8ve:o6iaLexDnYD0mOD13svtWyS+BP8ve
MD5:	85759F54539623A05BF2E5A3F6799DAF
SHA1:	BE201D32A9AA5D186723EBB3C538BE691AA8C53A
SHA-256:	CF84A7B7066A47F6973D447ABE36D8B8247A2949DC66363F2CD861767885ABC2
SHA-512:	9BEDED6DB64CB808B4E61F0ED26B26CE03A20ACF68275A5CFE7079758D6A72A791F273A6E939018B338EA414D2E3B149C92BCFD0313725F14BAA87F1B790FF51
Malicious:	false
Preview:	wOF2......%.......J...%j.........................(.....`....."..4....x.P.6.$.. ..f..... ..2..?....UA......l....$B.8@.AU............j...u..nm.........Z...,.R.U:.M....9t...T^U....d...?..0...:...Z.Y....\|...5a.>\W.j....gi......._.e0.p....&C.2y.\..lr....+..b....gZ.....CX.a...Q7..3}_....Z.....r.d.cW!.:_...M.\ ...1.K...r-...p..m...vvba...D.h.X.2"X3.....Q(F.0zel....wV.....e.....{.8=.f.....}......0.)..t..M.T.._Q.pS...f.I.u....<.......U.......$...T.....9q.!.[.h...Cy.AvR.. ..;....'F\|........I$....=t.........pT.f.c.Bq...XOB.......S......Z...a....uz..9.2\$'.\|.........$;......B.%...\|...T.MsE...uy..-..2.......,.0T....rYr..B(.......P'.J..B.....k..^nB&.!..,4"..g. .Z.sA.!!....a..^...........mz..y].JB;~F....'2. .....J.......=...%?A.n...s..n.'....O..Jxe)..!M.JBhL.cD..8.6..4?L...p....;~...x.....Pyx.......O...."...}.#.0.....T1.i...k.j..t/..?.%L83...c...!.......m.J@.......zf...(.~.u../..x'...V.X.\iP...8..q..n5...9}.MAI..%.A.s_.o.2.....%.A...~..@M..nL.....H\

C:\Program Files (x86)\Fast!\ui\css\opensans3.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 2332, version 1.6554
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.869949868745035
Encrypted:	false
SSDEEP:	48:Ibi/lZ1jAjJ+6p1/d4vfhRblBFRGLiGxrQ0EM4Jg5QsM:fZ5AjJ+8/4hRbFRtKrQ0E60
MD5:	F736E54388BFAAD417DF1B30814B6AAE
SHA1:	2C5B039B57F62625E88226A938679EC937431AD1
SHA-256:	5CED1FBF1C36965E6A61DDCB52D7AD7CC43A8A6096A8E40AE2405BFBB3153FAD
SHA-512:	4BEC4A9EFC6FDB22F805F5CF61F765C8DEB259C72748DE6069714AF0D4287B435583F8ADA6637DF3B139AE4CF5BD3AB805088C99888C10F54E9981C34DADC991
Malicious:	false
Preview:	wOF2...................................................`.,.."..4....`.E.6.$...... ..2.G......Q.M.I.E..b.%%..XH`<-....FF..w7b(...}......5d..oq).....Z._N.L$.H..N....d.c....S...2y9o.,\..}...z]`:v..1A....y..y@..").r.#.e..a.....C..i?W'.F.-..Nf..}...#...I)C.. $J&..26..7f .H.<.....b1j.....+.[.`6....J^..&.o?@..2.... .....]._......$q...S......w`UY.8.9.$..}W....dg..p.%X.H.e..+..ZCt.....%.W...r.o...`...!........].-.......{.5 6....-....j...Y..\..G...o5..Z....'..+.Q,.s......cG..>tp......R.Vv..e.....".P0..y=...Eb...h..0.9.l...f...J6R..W.M.r..9Hm.).....:..)........@.G2.....v...<..?.7.IcnUE............=......Xa2....D,.....^.l."j_i.q. ......g..5n..U.....Y.X.B{../`...q?.....)..d......p.p.8. <../c2.;X.w<..E....+.....1...O..4.Qq.....wN.H.....J.$u...RZ..Qb.$l......2.n4.5..U^..^.........9f...R...1..V.3N...3...&....1..G..rU.....a....z.r...i.%....[.RuMu.f_.hp.^.2.....`....)71...*.+...n..E..v../....{.2.!'P....E.....(k.hq........f3XN......*......v;.A.-..a....X~c.

C:\Program Files (x86)\Fast!\ui\css\opensans4.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 8160, version 1.6554
Category:	dropped
Size (bytes):	8160
Entropy (8bit):	7.9700811821881645
Encrypted:	false
SSDEEP:	192:9+77Ihm4JmBCuXbtbyKjgBnw+3uqS8IxZrtXPyR6V:9VvmTtUnHTSXhXKi
MD5:	C09EA514A21D4A93BC0C4A96ED503A59
SHA1:	BE365ECA44760CE3FC9B377C43D4634958479C69
SHA-256:	F66947CEC51A5785E6F9CA02F45E8F0D22D43BA818ED114366D033E14458BC84
SHA-512:	19365BC788085CA00F86DC74ABCCC77B48CC9F0BFE11093B52165B049ADDA5DC16B48598BD878AE2816465CB1AD70A4F134C4619CE58C8A76FCF15380B05B285
Malicious:	false
Preview:	wOF2..............<\|.............................(.....`.\|.."..4....l.x.6.$........H.. ..2..6.....6....w.........d....r.MX...."N....0..PFNX1...i.u.......Q.n..C.1.._...N..%,5:D...T....;L..?...D.^....<...xD.u...#..>..g2=...;.&..k(%A..}....u...p \|H.W.%...@!\.........."..>/rK....W^...}..W.....@........X{@..z?.#..ga.5.LP2PuU.....\._..U.......&.... .......TK..OJ......i#.lV..z\...m.Pj]4..SqZ. W.Y.Snr9..a...c..;].@....R.5.JV..Q...b...).:.gVY7....*b...L....B%4....B.f.. w........Y.?s..%i....2a.J.Q..B.g..O........u.2.i....i\|(.l..T_.a.w.AP>,j.,a..IJ...IYO.sj9K.r.!.%.........$=...uLT......."X.y..yr....XSk..f....`....3.>A.....H...zd.q.E@.8.y3....u..7.......vv.(D.m..A..sZ%.@!...p.F1%..Y/.<H$.._!....=.'....\\y.A%\|.rXD.....3.i.e.8Q..LR....p.........GI.EC.....x..1?.D....}6....Tm^......L.".w...(.nZH..<N=n...DU.S.NY2..$...,....D...2.,.....r.H..tg..m....1.>....."..$.,...s...4tM.".O..~.Z...d.m..2..VRpF. ....Ef..a%..P.Jb4g..Il(..s..X.J.V.C9c.\...e..V...+t....

C:\Program Files (x86)\Fast!\ui\css\opensans5.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 5740, version 1.6554
Category:	dropped
Size (bytes):	5740
Entropy (8bit):	7.95831025079887
Encrypted:	false
SSDEEP:	96:UEocAnI0DGeTJqMNB6x16AIoeqOqjk/kWA812MX9GPvlreZUWxajgCsQyN:vnAI0KetnBw5IqKkxYhXwPvlr6UWKxyN
MD5:	5C02962E1F9A25F98CC3CAB0DC1EE177
SHA1:	C4248EA800BD5608344CE163F5658B57E7EF9410
SHA-256:	CA17AE084F5465C81BA80EC29C647ACD772F953738940E874CCA265ED81499FA
SHA-512:	3D903B73B3D7129083DA4A7C9458D61A17C73DD489F273D46672AD75C601F3B790F695C667361AFFE020B0CFFFDB87B370F3ED9B4A11BED8B59E529D42A92D09
Malicious:	false
Preview:	wOF2.......l....../..............................(.....`.R.."..4....,.w.6.$..`.Z..t.. ..2..o.........a.........d...8.;...p........&l....$KF..%u_...w....H......+3.....v...U.z....]7........s.....c..,.."............2....6..WD.X.........h.9.a/.q....1......]6..G........B..D....7.V^].....N.gJ...9.Z.E..V%...0e.To.......e...0....M.w.n..-.L2i2$....N..5$..@4.p...4R..aL.V...9}:g...y!O>....`{SY_....Ne`.N..J..O..J.....)7...-EHEGQ..H...ki.6....5.^..Q..b.B.I...\.R....h.hZ..Jx..~c..D..]mk....B.4.Ecb/M.#jkN..............Z3.FDDD.hF... ...P .75@ ..@f.5.\|".;y5l?..h...$7....,...h^?.0.CQ8I.&.........f.r.,.J..-......b.R@.!.]E......[...ERL+..p.-.].O.C...L.C\|[\|....\|...n...@..Zk..oO.P..i... u\.....[....=A..G.&........3/./.Y...8..7...,c#V.E.C...JZ]VZR\TX.........HOKU.$'%&..M.2y..8~.h.....#xX..#..t.8l..A...!..BFR6.\|bQ..F!.=.J.JL...Zl...Z-..%0@!..a(.Z]3..8...2..}M.z.*\|D7&.VZz......D!.y.!..E..b...;i.k...t,/.G!K.....M.P\O...^T...S.1.}.._K.%..T...QX.n.T....5.(S..k.n.mH../n.G.-.

C:\Program Files (x86)\Fast!\ui\css\opensans6.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 12288, version 1.6554
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	7.973221791058246
Encrypted:	false
SSDEEP:	192:yS4RT4Sxe82NOQXmzngpDbW6tyC3Kew1r3ZuhSZVKk4Ht7Y4kyv4VCK3c+J1aA48:/4tt2N7Wzg5NtV6/F3wcnKttU2vkCr+T
MD5:	921DD520C3FBA714997C8B941D51DBC5
SHA1:	113978181DCAC77BAECEF6115A9121D8F6E4FC3A
SHA-256:	A846F7AF6F32F2BE5CB922158882116AF42816A0FF71506920E18A3BA89456B9
SHA-512:	17CE9CD97314F7122879EC05B9A379E6ACFB6B4B5E9BC7C12A46CBB81B45B772DDC1F41471F4B6FACAC9010FA69F0420A7C538B6B9293A19551CF9593033C6CC
Malicious:	false
Preview:	wOF2......0.......r.../..........................F...l.`..n.."..4....@.(.6.$..,..b..X.. ..2..".....gw.......f...../5.L{.Dd.\.5.r2..........l. .VU...$..&.....[.......&..$..F.. ..B.$"..t..#...g. {.".9M2YJD,=..w...N.........vG;.........*........F...W.o.eY>.~..6._.!..E........-.=Q...e.C..I..._u...{w..-..D.......Y}y...!.f...8.q...".F...........5....8+......s.Gy}_.dT5.,t.t.?.X...g....p:....3.@..~.A..qrP]!.;@%..oU..........Y..a"..z3.=....T.....?.[./.("..+...`./.bH7.+[.Y.E.<.3..s.....^.....!O.....=.M..qd.>..&..5.c.!...7U=...$.)..G.........N...J/c=g...}.e.....V?...b....F....!\|<....tkc......o..{...5.^."4.H..Yk.C1........=b...z._..0......$ ..L)es2L..}.....I .@..t.\A..\|!(.G.Mv.R.@.#....VJ].)c2.c.[.f..z~....H.qC1."+...........q..o.S<y..5..3.0..!m.B.J..5...$.<....Z.......L.r..[.T......\U.cJ....O.R..%2q.&.H.S.....L.`m....... @[..C2.....u.9v.s.s.K.M..`u.....A..87>.@.P...G.>n..A....^ZC.[... x......t(`..9.3^.E.+._...8v....'.r>.@.....f.V.....1....8

C:\Program Files (x86)\Fast!\ui\css\opensans7.woff2

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 15572, version 1.6554
Category:	dropped
Size (bytes):	15572
Entropy (8bit):	7.9810164149550245
Encrypted:	false
SSDEEP:	384:js8NoiTYZhWLvKuU4dX+XD3lk8M4RedEEHluh/:DoiP+4dX+T3OCRkE6I9
MD5:	E64CAB167BBDC04807429D10873901A0
SHA1:	AFC44700053C9A28F9AB26F6AEC4862AC1D0795D
SHA-256:	60F9B5203842A4FE2D52F7C96F3C57B755BBF8F347535469739BCC6F95A9C4B5
SHA-512:	9812A394D05F56B70C1DE57FF6CCD46E15C2DB99A003138A0CC2210D08303746969A269F37583A6BE14C706C645FB923136E4231B3ED1FB47FCAF6209884CEAC
Malicious:	false
Preview:	wOF2......<........8..<p.............................t.`..L.."..4.....D..B.6.$..l.....<.. ..2..(.....w..;[...C.[%[.v.(T..E.q@..g.....yI..%X."h.u..O...)nb.A1..hC.V.@CN....~.e..........el<..s.....8.9..5B./(..%.k..4Ji.:.....C".o)&.......T.......K....R...R(.......G.T..'.6...?......j.o..,..T.I.&..]..g..@.B. ....P&...m..Q.r..S..=Q.1.....2r......*D....9.._......?.6f..F.......^.r0.7..W.dY..$.......\.x...{..%.-....g.K>.>.Y. ..AtAti@..q..&y..).)..(+..aC.......d....Xy..T_.[.l}K..DN...A..Ug.....,..J5....".&.F..@.v:..pM5......}..,.AD.~..m.....#..%./B]..E-..Xv;.i..r..h.e..O..V..1P...`>.S...../.jUb....Gq.9@..x..O.v\.........A..'...5.,..A...p...".&.4...S>.-)l.Bo.'5?4S3...14J.]H.^....\|!......L....... (....R:/II..FP....@...SN.7.....D.K1Wv..M..../MO6x..2B........Q. ....^B0+&..i..xZ.GS......:.2.....d...)..x...l!.>r.............TJ.S..4....E.).sN.e. .2..p.I1..&...$....Z..0E.t..G..............vkp..h"...iH@.B..[...D.,0..e.....AN....r..w.......L

C:\Program Files (x86)\Fast!\ui\css\style.css

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2855
Entropy (8bit):	4.802364782604789
Encrypted:	false
SSDEEP:	48:UrEh1xryEUta3fRd0txGfkSBaTT4FFt7rhKD+8iazC4Fg2lmqu:UraxeEB4SoT0F/9KNiU6p
MD5:	A5AC411E66EDD61B2CA0C5B5089724D1
SHA1:	A2DBEDFE6654EFF5840D72382F9AFD08EC073100
SHA-256:	09CA9E1B17698897887C96E2D30A8B33DDFCE6C6A8976A8F0E0CFB3FB21043DD
SHA-512:	8716516CC7E36006A1FD93B695FC8C76009966D3A68D35AF420E887518888E1D68AC6C7280749E8C5DF722FF2F7BC00BEA9443823BF4A0F9250969A392542488
Malicious:	false
Preview:	body {.. -webkit-touch-callout: none;.. -webkit-user-select: none;.. -khtml-user-select: none;.. -moz-user-select: none;.. -ms-user-select: none;.. user-select: none;.... background: #333;.. color: #fff;.. text-shadow: 1px 1px #444;.. font-family: "Open Sans";.. font-size: 22px;.... cursor: default;..}....button {.. color: white;.. background-color: #77b577;.. width: 100%;.. height: 3.75em;.. line-height: 3.75em;.... border-radius: 0px;.. border: 0;.. cursor: pointer;.. display: inline-block;.. font-size: 0.8em;.. font-weight: 600;.. text-align: center;..}.....minimize-button {.. cursor: pointer;.. position: absolute;.. right: 21px;.. top: 6px;.. width: 10px;.. height: 10px;..}...minimize-button:after {.. content: "";.. position: absolute;.. bottom: 0;.. left: 0;.. width: 100%;.. height: 1px;.. background: #fff;..}...close-button {.. cursor: pointer;.. position: absolute

C:\Program Files (x86)\Fast!\ui\icons\back-arrow.svg

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	662
Entropy (8bit):	4.45395243063737
Encrypted:	false
SSDEEP:	12:trvN7uJl+uDMmdBtyiawjaKBKFGF4cydP6bpkkTWowC1uuFy:tjN7uJD4g3AoaeScydyNTWBC1NFy
MD5:	4F77D94F5BA5137010962C7BD02740E5
SHA1:	BC1B5DE9F2CAB87CFA480167FBC49D8D22FF4281
SHA-256:	904315F5F11F3648B8EE5A71554ABC9EED3FAB9E8BC4CD346CA8EB62C57D9E3B
SHA-512:	32FF42BF76E94624491C49C4986E638F41B36EE08DACD813EBA70C4EFA237E23A0D108BB1909AAEC9B358F7D60B4B57897B1E4CD5777607EBBB35D11544F1F17
Malicious:	false
Preview:	<svg width="21" height="10" viewBox="0 0 21 10" fill="none" xmlns="http://www.w3.org/2000/svg">..<path d="M0.240114 4.34053C0.24036 4.34029 0.240566 4.34001 0.240854 4.33978L4.52725 0.230137C4.84837 -0.0777301 5.36776 -0.0765844 5.6874 0.232824C6.007 0.542193 6.00577 1.04258 5.68466 1.35049L2.80677 4.10964H20.1797C20.6327 4.10964 21 4.46346 21 4.89995C21 5.33644 20.6327 5.69027 20.1797 5.69027H2.80681L5.68462 8.44942C6.00573 8.75733 6.00696 9.25771 5.68736 9.56708C5.36772 9.87653 4.84829 9.8776 4.52721 9.56977L0.240812 5.46013C0.240566 5.45989 0.24036 5.45962 0.240074 5.45938C-0.0812092 5.15044 -0.080183 4.64844 0.240114 4.34053Z" fill="#FFF"/>..</svg>..

C:\Program Files (x86)\Fast!\ui\icons\fast.svg

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	37918
Entropy (8bit):	6.013092765511404
Encrypted:	false
SSDEEP:	768:FHdknd28mdN7OEbCRqjI9IDdkXbkWrw6kgPbRExUP2rGioSeHf:F9Wd28mIckwWrwKbRE/nXeHf
MD5:	006577A377F0219BCB2FAE7AFA5308BF
SHA1:	89E784EA0B37010BF0E7E9825A296FBBBE9A8019
SHA-256:	A774B144C48347AF4E47E59744A85B336511271B3412A2C7B4BBC67F1EE81A1F
SHA-512:	2FE432B483696E0B8C69D903ABEF40C405D94FF59359217C590890B3F40B840D87B69FB949BD34A5CA1C5F32476006845C537AAEAFCF2C636C375E3D7BD02778
Malicious:	false
Preview:	<svg width="55" height="55" viewBox="0 0 55 55" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><mask id="a" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="0" width="55" height="55"><path fill="#D9D9D9" d="M0 0h55v55H0z"/></mask><g mask="url(#a)"><path fill="url(#pattern0)" d="M0 0h171v55H0z"/></g><defs><pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1"><use xlink:href="#image0_729_108" transform="matrix(.00092 0 0 .00287 -.004 0)"/></pattern><image id="image0_729_108" width="1090" height="348" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABEIAAAFcCAYAAADMJhs1AAAACXBIWXMAAAsSAAALEgHS3X78AAAgAElEQVR4nOzdCZhU1Zk38P+pqq6u3uimgQakuqBZFASkQRFxA1ziFqUTNSZqFLOMWVxIZrJPIkkmk8kkE9EZx2Qmn2AWhcRE1Am4C+6KC0ijskPRbM3WDb3Ufr/nFKe1xe7q6u66t8699/97noqErq4699yi7r3vfc/7CsMwQERERERERETkBj7uZSKyi/Ztzw72JgaMQyxWjWhsMGLRAUakoTjeEhuAo0erjUOHT0A0Uo54vAzRaBHi8SIYhif9EMILj8f7waamUhEIkYIQSQARBAJNKK84KCoHhsWAik0FFc

C:\Program Files (x86)\Fast!\ui\images\fast.png

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675
Entropy (8bit):	7.606800268124855
Encrypted:	false
SSDEEP:	12:6v/7i6gX7dGD3+zoCQDrqUw2QUp9RKG3VvJN1xOJ24wLTYqp2agcmitQ9:78DOsCQ/PQoRB3VhN1k24wfYqp2avVa9
MD5:	8D1ED092B3BE364DC47574F1310D2C87
SHA1:	D5BBA623B5AFB4C5B6C0AD5ED04A10F1881DA595
SHA-256:	07B61E98466A1F851D5DCF555AD9B901684EE622275129B98C38DA3785506FF2
SHA-512:	70134A9B5B786473A56F11BA7098CA6AF568EEF97AA8704A9748A5EFDFC4F16CEE1F9C22CEA9F55660BE4FEB14D6C1B5B09A7C76076D4F813A58FECF27BB8828
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz....jIDATx..VKK.Q....R."..q.....Z.\|.P....."b..'.......XiE..B6.6Z.c4.8....nf.$Nf&^. d1.w..9'...$.(.2N.V.\|.&....g...8.E.%].y.G_$8...O.H..4....%..>.N...P.....K..V9Z..4f..Y.,..T.pGi.%.?8.,@..W.'q...g...}p8....y.5r.......)......&....(.WrD_V.er.).h.....t....c~sN..u&S....Z.m\|.n..c.-_.A....(...._....X....,.hBD..<Z..Yk.V..._7V...U.........;....'....F..>;B..8.^.f../.:.. a?]..\.l......&@dD.g..y.r.p.g....fG<......M...r.....c..,...FJ,W...2G...d.9Q.4..5{4D...,._Oe.......Csbw.M~......dU.........j.0W.....r...'.s6..S......n...E...V@..e.$V....rfeN7.I...z+..`..R.,.N.]...>z..i#..~b.....N'..~0go.].*....I.e.x........[.S......IEND.B`.

C:\Program Files (x86)\Fast!\ui\images\fast_off.png

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	620
Entropy (8bit):	7.532871627537594
Encrypted:	false
SSDEEP:	12:6v/7iQz6urs3fgXgJX3MrE5s7j9dtn2ZA7FkmIA7:2WfgXCXkd14XmIC
MD5:	F775E05DAB18F69D2901B12299E63A16
SHA1:	B13CAB82F3B766E77589C8F99777FF27DC914FAA
SHA-256:	88D3DC2159DD31907CCD68C01102D94501476837998072B88DB6006AA459EB30
SHA-512:	9BA707E41DD3C971245BC45E97EAD1BC3FCE037FF5DEFCC4780744F1A87BE3F7B09DCC73446F952FD9B39D372431841C7355A3B16DBFF7FC05E23A94075D0B48
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz....3IDATx..WKK[Q..sk........ D.Q.'...R.BE..(>VJ...."A...D.7......_..\|SO8..s...B.......I ..{<;...,..\|..:J.\|...c.9.M..n.>.c(...+}D..8.h.%.e......\.BU..<...:..ls.@...g../v.J....\Fb.....;...;.QsO?...9.G.................48...`.M..8.0.....C..C.x7..j...0...X<.sI....L%..)...b.v....o.....Z...:.........8...U@@....)....`.V-.._7V.....k.E`....[.g&z....'[z'R.8.}y.t.p,.2...........t.........s.....j.B-y.@.r..Q._dG.kM#;>u..6..W.:...9f/.b..:].l..j8..m.0.....zs.99...N..#....mu..DjB....E.+....'F>..&N.X.2@({.(..{....$;..j...Y.>..:..d..x......~.7{C..O.....:0a......Giu.....IEND.B`.

C:\Program Files (x86)\Fast!\ui\images\grad.png

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	7.962335133869884
Encrypted:	false
SSDEEP:	192:sqd9LjOc71eEd9G7zIGHO3mgUD4Z2q5DO0sAmasbPbLiovYT7hE6/6co0il0:sY9Wc7d9G7zlHuUZqECma9/H/X
MD5:	DF9772D8383B587D8E0E2D78C1DECE5D
SHA1:	C7371EDD4272592A373E04A9B3A4D06C26A8DA0A
SHA-256:	F513EC17BA8716C92D362D0D892CC74ED5F5B1B45EA857D9F7D63794840696C6
SHA-512:	EC89CA890BEB39B2DD2DFC3CE91A93626F37305FCAFAED1185AD781EE5E10329AC75ACF5386F478B5627CBEDAA5F34DC6D6FAEA38A621EB589065DAF0E790C70
Malicious:	false
Preview:	.PNG........IHDR...d...d.....p.T...KiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about=""/>. </rdf:RDF>.</x:xmpmeta>.<?xpacket end="r"?> I.:.. .IDATx.}}Y.lI...O.7Te.!.-.. m.7...C;...C?..._8.A.......8..4.8..x....?e&.....;....D ..5.......F..H.5:.....vt}V_HT..rc....vw..w.Ym.......F .@d.e....@D"..H ..~......].....}n..i+...#....."..=..O5.B..(..=...$.=.P...N9...Q..R5..........P...q...zI)..{..\......C@u....7,...].wa...k...5..x..6..k....%.....N..H..#..5.h......v....#B.s..>z...f8.5.W...e._."B.sX.1.h..s7.Y.#..M...T..3gr....T.N\|.......F.}.o....B#c..<A.j....HU.'.oY....[..=..h.r.....1a.!....p..<&s.......OJf.@`h.......e.1....c..W..k.._..Sx...K...}.i...8q.H....R.7......:pK.'bN.8.b.<'q\;8....YV...'..9...SL.ZN...........GZ.N./..&Mz

C:\Program Files (x86)\Fast!\ui\images\patent.png

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PNG image data, 95 x 43, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	9406
Entropy (8bit):	7.94022430872657
Encrypted:	false
SSDEEP:	192:EIIHUCD4wacvaKWaFGlENytchQA1QIEM91eBm:60wsKWaFGlEMtchQALv1im
MD5:	A325C56AC5095D3459A31023CBDDAAD8
SHA1:	77D2CE1EAA9775D901DC79A329D324C5F20F0E75
SHA-256:	2E7C88199F79F7EE899DF4333E85EA8959C6B156C1EA96DC0F0A1D3FE7D48F0E
SHA-512:	256D0826778D9B77FA79C4F6EDD482B9969276AE58EAD3514010EA937C5966F00E7FDFEA3938F8437402C76124E671DA0F902A2CFABF9DDC1A4C6EA8399D8A64
Malicious:	false
Preview:	.PNG........IHDR..._...+.....i.d....CiCCPICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O......:..L..$R...J5e?

C:\Program Files (x86)\Fast!\ui\index.html

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13204
Entropy (8bit):	4.314891162976399
Encrypted:	false
SSDEEP:	192:UWxnAAxN4NuawnEokaXtPkAlqSpbmr1yX6G/Eq09wW7pvFi4:zAMN4NuVGhj
MD5:	771D9D0414214C32609AA524173B3DED
SHA1:	2D660FBCE2651CEC6EDFC099A9A8921540D8D7F6
SHA-256:	CFE0B56AEBAC35D4652D1DAE85C9FE16EDDDC94E90A8D99D8148BEB1DF8F30C0
SHA-512:	26D0A34455F382FF95C1260561BC326CC73313CB279CC961373B3DA4F7ED58180C7FCFE916B2AA3363E1652182FFACF0C155088178F3B54BC5CD391E4945CB60
Malicious:	false
Preview:	<html>.. <head>.. <link href="css/opensans.css" rel="stylesheet" />.. <link href="css/style.css" rel="stylesheet" />.... <style></style>.. </head>.... <script src="js/jquery-2.1.4.min.js"></script>.. <script src="js/circle-progress.js"></script>.. <script src="js/chart.min.js"></script>.... <video.. id="fastvid".. style=".. display: none;.. position: fixed;.. top: 0;.. bottom: 0;.. left: 220px;.. right: 0;.. z-index: 0;.. ".. width="100%".. height="100%".. xloop.. nocontrols.. xautoplay.. >.. <source src="vid/fast.webm" type="video/ogg" />.. </video>.... <body style="display: none; background: #111514">.. <div id="payment_modal" class="payment-modal">.. <div class="payment-modal__frame">.. <div class="payment-modal__content" id="payment_modal_content"></div>.. </div>.. </div>.... <div.. id="welcomeToFast".. style=".. position: absolute;.. top: 150px;..

C:\Program Files (x86)\Fast!\ui\js\chart.min.js

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with very long lines (65327), with CRLF line terminators
Category:	dropped
Size (bytes):	158750
Entropy (8bit):	5.366119866830528
Encrypted:	false
SSDEEP:	1536:OXZdEOLRr3NejQIooAIf9olnc3mfxZEtgsIC+Mc+CXxrP7eZYOcHBCF2RrUsAclj:4LetVBxpSxr6iHS2g+meI+B
MD5:	217CB5D4EA048DE6BD91DBCE1B3BC12E
SHA1:	C62B51022581122005182D235D78C19B8D53509F
SHA-256:	FEFEF4C25BBBDC09D6000B14AEFDAE1398A0A215E5402D6DF86C61052D49D408
SHA-512:	98A96C4B779E7CFD10447BD6E843AD6E97FDE08B3C1BD70FBB0C10F5533FF4D1E95ED3B965B152781BC1E198F2979E9B28E5030CAD9893ADCC0FAA012A88D445
Malicious:	false
Preview:	/!.. Chart.js.. * http://chartjs.org/.. * Version: 2.7.3.. .. Copyright 2018 Chart.js Contributors.. * Released under the MIT license.. * https://github.com/chartjs/Chart.js/blob/master/LICENSE.md.. */..!function(t){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{("undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this).Chart=t()}}(function(){return function o(r,s,l){function u(e,t){if(!s[e]){if(!r[e]){var i="function"==typeof require&&require;if(!t&&i)return i(e,!0);if(d)return d(e,!0);var n=new Error("Cannot find module '"+e+"'");throw n.code="MODULE_NOT_FOUND",n}var a=s[e]={exports:{}};r[e][0].call(a.exports,function(t){return u(r[e][1][t]\|\|t)},a,a.exports,o,r,s,l)}return s[e].exports}for(var d="function"==typeof require&&require,t=0;t<l.length;t++)u(l[t]);return u}({1:[function(t,e,i){},{}],2:[function(t,e,i){var o=t(6);function n(t){if(t){

C:\Program Files (x86)\Fast!\ui\js\circle-progress.js

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15899
Entropy (8bit):	4.76323863494514
Encrypted:	false
SSDEEP:	384:wPeb21wglBqMcF14UxkPl/wxmFM2g7nR2Juv:n2W+qMGoVFM2UnR2Juv
MD5:	0912DF1CB8BC4B1D791524EC962FE932
SHA1:	ED06DCF2219A3AB5682E087D70B5177D6E182990
SHA-256:	0014E3CFD890D2C64B9AA76C610E6FCEE5800D1D23A0DCDA964BCC7F3F95EBA4
SHA-512:	D70D26073FD0C9D58B8FF0090D86BA4C2C4A1F51757603384C599B30137C2CE8440C59AE3F138B8B063A21F4F15043B5703438BC7FB92CE53B3EE9698800429A
Malicious:	false
Preview:	/*.. jquery-circle-progress - jQuery Plugin to draw animated circular progress bars:.. * {@link http://kottenator.github.io/jquery-circle-progress/}.. .. @author Rostyslav Bryzgunov <kottenator@gmail.com>.. * @version 1.2.1.. * @licence MIT.. * @preserve.. /..// UMD factory - https://github.com/umdjs/umd/blob/d31bb6ee7098715e019f52bdfe27b3e4bfd2b97e/templates/jqueryPlugin.js..// Uses AMD, CommonJS or browser globals to create a jQuery plugin...(function(factory) {.. if (typeof define === 'function' && define.amd) {.. // AMD - register as an anonymous module.. define(['jquery'], factory);.. } else if (typeof module === 'object' && module.exports) {.. // Node/CommonJS.. var $ = require('jquery');.. factory($);.. module.exports = $;.. } else {.. // Browser globals.. factory(jQuery);.. }..})(function($) {.. /.. Inner implementation of the circle progress bar... * The class is not exposed _yet_ but you can create an instance through jQuery method

C:\Program Files (x86)\Fast!\ui\js\jquery-2.1.4.min.js

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with very long lines (32025), with CRLF line terminators
Category:	dropped
Size (bytes):	84349
Entropy (8bit):	5.366942924126885
Encrypted:	false
SSDEEP:	1536:oP10iSi65U/dXXeyhzeBuG+HYE0mdDuJO1z6Oy4sh3J1x72BjmN7TwpDKba98HrA:f+41hJiz6fhdlTqya98HrA
MD5:	B0DC11D0A434AAFE88908C7F33D71095
SHA1:	1327F754FF87D26BCED46568543207E9DF190AAA
SHA-256:	DE4B3C3D1DC2506B6693F0F98884E1DC074CDA9D66CAB39B7B48A115FDFC4C0F
SHA-512:	177719EF74C4593E139FD254AACA5590B108338F1139041E24C56CA212BDC61CBFDCE9799C8A51FD7B67E587B920097294E834FDACE5127BCCA9CE2877F48EA0
Malicious:	false
Preview:	/! jQuery v2.1.4 \| (c) 2005, 2015 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Program Files (x86)\Fast!\ui\js\ui.bin

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	data
Category:	dropped
Size (bytes):	68296
Entropy (8bit):	6.0885000598209755
Encrypted:	false
SSDEEP:	1536:X1kmytVwL4oM73IEEpLCbm1Jn5xL1/Ta4ksO:y64jyF4wnB/u4ksO
MD5:	BA8834181B1B3DE5E7EF68EDE0DAFC95
SHA1:	1E6618EF63242459306F7BFA18FA998A63529D4E
SHA-256:	00A08CC267F966343F52238B65F33CDA978E754BF97CF7630EA1603ACFE73AE8
SHA-512:	D813AF0959812A70026157D9B150270EB735A93EE4B1D06D3DC2BD3C01BFD13265837F5D131615873AA16F19CF18F2E462666B10316D8A8C2B0E4F241A692639
Malicious:	false
Preview:	......S%......5.b]..............,T.....`&....=.L`.....U.L`&.....Rbn.c.....gui..M...Rcb.......https.....Rbr.......win...Rcj.9v....bClosing..Rc.xSY....bRunning..ReF.......bFirstMinimize....Rc..-.....bExpired. Rfb..m....bInExpiredSetting.....Rd.b=.....bEnterKey.....Re........bInActiveSetting..RcrV.m....bTrial....Rd.5>.....nTrialLeft....Ren.Gp....nMaxInterests.....Rer.{.....bShowInterests....Rdb`......fast_UUID.....Rd........fast_Version..Rej-......defaultBrowser....Rd........bFirstError.. Rfrf.S....bFirstStartReport.....Rd..lM....bTutorial.... Rf........bTutorial_apps_word.. RfR......bTutorial_apps_excel.(Rh&\|6.....bTutorial_apps_powerpoint.... Rf.......bTutorial_apps_pdf....Re2RD.....fast_urlPixel.....Rc........bSurvey...Re.G......nNotificationCnt. Rf.T .....nTutorialAppCounter...Re.{.....tTutorialAppDesc..Re.U.H....bCookingPeriod....Rd>?.q....bMinimized....Re......bFirstDistStart...Rc........prevV.....Rc.\|......vGauges...Re^.......bShowPrediction...Rb.2M....net...Rdf..4....PIPE_P

C:\Program Files (x86)\Fast!\ui\js\ui.js

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.461530252405225
Encrypted:	false
SSDEEP:	3:+BKSLDrbIoMLNLQJlWsren:+Dn4oRVre
MD5:	FE10063F4A895C45C6F50E4B031A7B7E
SHA1:	6B2E8F116DBDD03A7AD19C0C156C0C3824AA1AD4
SHA-256:	FE3E5FDBC7265A8463D2AB98D7066DF486717A760501CBCFB3E8EBD7478CCAA5
SHA-512:	36A8EA42F7D35192DF68246520A7F91946A8E7DCF3747112C6FB2DBB9159F2DC31AF527BC0A66772EE379E08C3036E16D6B191DC34AE0B3D324BC42F83EA32FD
Malicious:	false
Preview:	nw.Window.get().evalNWBin(null, 'js/ui.bin');

C:\Program Files (x86)\Fast!\ui\notify.html

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2231
Entropy (8bit):	5.357284780864318
Encrypted:	false
SSDEEP:	48:d8WHjTkatD8WN8FiYtiC3ld7srxDOYVeDt3swsLqX1lo:HHjwaAHtj3lt+HmjsWFO
MD5:	D70ACC5BF85B98C460DA6134482CE9AA
SHA1:	1458C3F4D36CB80805C6A16A79FB575CCAC228DB
SHA-256:	DE4A67306473ED988975BEAA37CCA8C8D93CB652CA16E6D296DF25780994CAB8
SHA-512:	6D13FF44714807483D2D2DA3A20C4AAB7218FFC5438D1287057761990ED09E19308036ECAD7A583FC4B704C6FFA93C988EFE2194CA0B5D08F6CDB2FC903DC066
Malicious:	false
Preview:	<html>..<head>....<link href='css/opensans.css' rel='stylesheet'>..<link href='css/style.css' rel='stylesheet'>....</head>....<body style="background:transparent; display:none" onclick='onClk()'>..<div style='position:absolute; left:0px; top:0px; bottom:0px; right:0px; background:black; opacity:0.4'></div>..<img src='icons/fast.svg' style='position:absolute;left:10px;top:40px;width:32px;height:32px;'>..<span id=notifyClose style='position:absolute; right:10px;top:10px;font-size:10px; cursor: pointer;' onclick="event.stopPropagation(); closeMe(1);">X</span>..<span id=notifyText style='position:absolute;left:50px;top:30px;font-size:16px'>..</span>..</body>....<script src="js/jquery-2.1.4.min.js"></script>....<script>..var gui = require('nw.gui');..var win = gui.Window.get();....win.x = screen.availWidth-win.width;..win.y = screen.availHeight-win.height;....win.setAlwaysOnTop(true);..win.show();....$('body').fadeIn("fast");....function getQueryParams(qs) {.. qs = qs.split('+').join(' '

C:\Program Files (x86)\Fast!\ui\package.json

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	339
Entropy (8bit):	4.5024421723962655
Encrypted:	false
SSDEEP:	6:3HWLGbc65cCRvFNKM1G1Jt/BoFkSH4xIr0HHvFJ8NjDIqONUVFyvNMukI9c8DATY:VQ65cCRv+1Jt/PSYxI4HHuUTNUu+ukId
MD5:	7A91B8534B03A73551100F64D89E6B81
SHA1:	B622FEA68B11F48CBC5C9B92705C8B50EFE3F47D
SHA-256:	83018DFC5FB1082579DF214FB66F49C0A81645748E45F88D0FBF5DDB76D1CFE8
SHA-512:	17D786B83CABF66F550D838B025D7EF06FE73AB810DB79B8E90246E3998088112F020DB73789C8449535AE1FEEFA5050964B13BDA58F3A71B920A1EBD43E2879
Malicious:	false
Preview:	{.. "name": "FAST!",.. "main": "index.html",.. "window": {.. "title": "FAST!",.. "icon": "images/fast.png",.. "toolbar": false,.. "width": 800,.. "height": 450,.. "show": false,.. "resizable": false,.. "frame": false,.. "show_in_taskbar": false,.. "always_on_top": true,.. "position": "center".. }..}..

C:\Program Files (x86)\Fast!\ui\vid\fast.webm

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	WebM
Category:	dropped
Size (bytes):	1160514
Entropy (8bit):	7.901652490507714
Encrypted:	false
SSDEEP:	24576:3iZISjCDYvM5+1t0F/5ePRUgkzO2uk1H08sruk/+xURY7KjOslU2:FYAA0F/5ePJ2uka8sSk/qxsJ
MD5:	8A11E17C5B16557AE39C76966F355ADD
SHA1:	191AF04A6CAFC37DD4DD1C818F2EEF3EC31F65CB
SHA-256:	95746E5F06053CAEBCDA80E65EC58FABA62D07B054F1D7B3B9EC4A345DBB7B4C
SHA-512:	A99028B7D372491D3AF834D92AFFBF1C7506603DCC3CFF8662F1097AE1AC81F7B94393606D37CC074960078FD34BD687BCCB189EE57E5D7F46CE8D374BA179C6
Malicious:	false
Preview:	.E.........B...B...B..B..B..webmB...B....S.g.........M.t@-M..S...I.fS...M..S...T.kS...#M..S...S.kS........................................................................................................................................................................................I.f.......2...B@M..Lavf57.76.100WA.Lavf57.76.100D..@.X......T.k.......U........L..s....."...eng..V_VP8...#....U........ ...T.......T...UT....U..U...U....C.u...........J..........T....G...........z%.>....'e~a...'.O.E......H..................0?......+..._...............Jo.?...i?......U.;.@.....X./.x.U.m._.}D.o.o.;{P.c.......?..1<..&.....>.w.....p?....;.........7.O....v...W.7...../.......{...>..*..7....c..3.:.p.f..A......1.y..........9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&...Ms.4..8i5.p.k...9.I.s..\..&..

C:\Program Files (x86)\Fast!\uninstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	477260
Entropy (8bit):	7.9085264144022585
Encrypted:	false
SSDEEP:	6144:YbE/HUAaynxpO573XXh0lR+ALK7tYMCu3SmZTf438ZtjCUfNcGP5CZ8uAIq6CSnk:YbcX/O5HR03nKx/K8j2C/PgAI6A1sAg
MD5:	D88256056084F265E92B1D65FF9E72E6
SHA1:	814FE2B35C878DF9F3F956929258C923026FA02B
SHA-256:	69D6362C02DE5B2783DBDC4ECCEEDDCD9A687B0629F3F02089B71D5A26724403
SHA-512:	468E7A5B3AEE79F11AE96D762268EC66255ACE224E5F6C61B4D7FCA88C624A026D30BEBD567CA95C6CFAE88305C3393CD7672B7B567047F30D0A82B71C5DBFEC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................T.....@..............................................L..............h)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...P...`...........................rsrc....L.......N..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7558367736634375
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH04:9JZj5MiKNnNhoxu7
MD5:	586B88EFF970DC9973B3CD375FBE3D0C
SHA1:	92B5ACD4C76B6B37CE2F04589CFEAB5E0A2BC438
SHA-256:	70DB965106DC2CE8779F76699DCD162949640C1AF4386903CA3E20DC36FB9788
SHA-512:	C72299E11033FC2FEB8571B8F753E0A0AAB13CB92802E5580025A8AC0ECE7A0619FBDF8EC47987ACF812E74B1EDC4F19EF32AC5964867149C493919293E61C38
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x6c54fd78, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555292598105047
Encrypted:	false
SSDEEP:	1536:dSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:dazaSvGJzYj2UlmOlOL
MD5:	3E6DAC3CB27D3A58AB84753BBFB38E09
SHA1:	315692BAA3663F780575C782A737C449E05B8156
SHA-256:	1B0D2E7738B5AFACBA4623B87FB757B34ACB604F3C8300D8182E2ADFD38DC259
SHA-512:	7D12110208AB2763076A994FEDE9D80DABCA1F4E566EAADC23A2A3D319AEE76037C307AD0CA2E7504656D74049177DD6D5E3326A5D67BED4537DA24D25295034
Malicious:	false
Preview:	lT.x... .......7.......X\...;...{......................0.e......!...{?......\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................\z1`.....\|..................5........\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07746865507211798
Encrypted:	false
SSDEEP:	3:4StlKYeXopcvfNaAPaU1lMq3wnZs/lalluxmO+l/SNxOf:blKzXoGNDPaUMs/AgmOH
MD5:	32C8632563FDB0251A75F5202FDAAF01
SHA1:	CF23C2C9FEABE2F6F39B7DA2F11EB559D02C6BED
SHA-256:	91C6CAD3A4F0BE1868616A79515724585ACCE12B1E32EC974038266BF5CEC8B7
SHA-512:	8D6EFE8D5C76D91F1EF4A45D982657010B28A58E9A6CFF890A8E7891B1E7128C383231C76C602C467D2EBFA5FA98B5D4E9C0EC7AE79FAD4F4F3055D2DA58C102
Malicious:	false
Preview:	N.q......................................;...{.......\|...!...{?..........!...{?..!...{?..g...!...{?.................5........\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	131346680
Entropy (8bit):	7.997764556604052
Encrypted:	true
SSDEEP:	3145728:SRKm4EkXPikhk8/f6smzMPLgQrY0Z/oE7e39wWrUd2Ym8y7rzGqAQPi:29wXP5lQcLgKBBq3Yd2YmV7rzGzQPi
MD5:	6354C2FD7D3E21CB782A57AA601C44C8
SHA1:	16340D218D5655C668DD5C0E02F9BDBDDC7B69F0
SHA-256:	140077D5E67EFBE7B08B0814B2A04A04B6D11859DFE037E5CA97AFCA4D83136E
SHA-512:	727663DA68E600262058E79735D8D4A26E616763DD7BCEA23E425E328B62AE0F70A9CD012284010A9CC1F72ECE1812AD9E245014611CD9910AB72108CD9D408A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................T.....@..............................................L..............h)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...P...`...........................rsrc....L.......N..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144688
Entropy (8bit):	6.667845757025275
Encrypted:	false
SSDEEP:
MD5:	FC41CABDD3C18079985AC5F648F58A90
SHA1:	51A619DDCB3661AA8675C2D7483840AC4F991746
SHA-256:	FA159F50E67FB5829F0F2511E25111C719411E6B6152FEA97F3A296264C7D7A4
SHA-512:	691090B54CE52D7E8BCFFF2711ADE7A6A8BB21B409358D7BFFC2053A53C116C7C22896F21BA36945A54F094D963CD9361A132D2E165365FE287C02F3C60356ED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s..s..s.....z.....f.....{.....x..s........x......r......r..Richs..........PE..L...O.*W..........................................@..........................`............@...... ...........................!..x....0.. ............&..0....@..........8...............................@............ ...............................text...8........................... ..`.data...h...........................@....idata..j.... ......................@..@.rsrc... ....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2642
Entropy (8bit):	5.188000462021663
Encrypted:	false
SSDEEP:
MD5:	ABF6167B001F3E88FAD32E0F844209C7
SHA1:	1D37B7C793A4B34F1E04A43C8631A56723EB7F41
SHA-256:	782F269C52BD37B69A3EDDA95D133AED7DEFEEA6019B8053557BA6C968CC2ADD
SHA-512:	1EB1E10E732949E8CE154BCDBF54CFDDCD8D89EBFE419D6110336D45FC85C38B10D3427AE4DC5ED3614A063B88E5E667F0716CA47FCFDDA400327B6489311D62
Malicious:	false
Preview:	<Results>..<System>..<ComputerName>134349</ComputerName>..<Tool>..<Version>2.0.17a</Version>..<VersionDate>2016/5/01</VersionDate>..</Tool>..<RunTime>2024/02/21 18:10:39 GMT</RunTime>..<ProcessorTopology>..<Group Group="0" MaximumProcessors="2" ActiveProcessors="2" ActiveProcessorMask="0x3"/>..</ProcessorTopology>..</System>..<Profile>..<Progress>0</Progress>..<ResultFormat>xml</ResultFormat>..<Verbose>false</Verbose>..<TimeSpans>..<TimeSpan>..<CompletionRoutines>false</CompletionRoutines>..<MeasureLatency>false</MeasureLatency>..<CalculateIopsStdDev>false</CalculateIopsStdDev>..<DisableAffinity>false</DisableAffinity>..<Duration>10</Duration>..<Warmup>5</Warmup>..<Cooldown>0</Cooldown>..<ThreadCount>0</ThreadCount>..<IoBucketDuration>1000</IoBucketDuration>..<RandSeed>0</RandSeed>..<Targets>..<Target>..<Path>C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp</Path>..<BlockSize>4096</BlockSize>..<BaseFileOffset>0</BaseFileOffset>..<SequentialScan>false</SequentialScan>..<RandomAc

C:\Users\user\AppData\Local\FAST!\Temp\user_download_done

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\user_download_start

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\error_mini_empty_path

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\full_installer_done

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\installer_start

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\installing

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\mini_done

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\mini_start

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\show_installing

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\show_welcome

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\systeminfo

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\FAST!\Temp\tempPOSTData

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	ASCII text, with very long lines (1624), with no line terminators
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	5.301202563172665
Encrypted:	false
SSDEEP:
MD5:	EF10E8EF85780E427CD2150865875BE8
SHA1:	E13635A198A2EB6D5DF342160D65E26710A9BDDD
SHA-256:	70FF5AE5AD9CD0229D693333F7EE88687E3232C3D3FF321602940D58A2A1ACDB
SHA-512:	53352F7E45028007B1083A8DDCC1F8EF95D960FC3EACB0B81D8A0C99B1EE1659E4F175270A7BBF2C9C9DFCE07624B96FCAA8DED74CA80B2A4CD56F232E49333A
Malicious:	false
Preview:	{"system_stats":{ "os_name": "Microsoft+Windows+10+Pro", "os_installdate": "20231003105718%2E000000%2B120", "os_processes": "106", "os_architecture": "64-bit", "os_virtmem": "8387636", "os_mem": "4193332", "cpu_name": "Intel%28R%29+Core%28TM%292+CPU+6600+%40+2%2E40+GHz", "cpu_maxclock": "2000", "cpu_cores": "4", "cpu_logicalproc": "1", "pc_vendor": "VMware%2C+Inc%2E", "pc_version": "None", "gpu_name": "4MKF1R5YE", "gpu_ram": "0", "gpu_bitsperpixel": "32", "gpu_x": "1280", "gpu_y": "1024", "disk_name": "XNWT3Z39+SCSI+Disk+Device", "disk_size": "412300001200", "sec_as": "", "sec_av": "Windows+Defender", "sec_fw": "", "bios_releasedate": "20221121000000%2E000000%2B000" }, "pcapps":["7-Zip+23%2E01+%28x64%29", "Mozilla+Firefox+%28x64+en-US%29", "Mozilla+Maintenance+Service", "Microsoft+Office+Professional+Plus+2019+-+en-us", "Microsoft+Visual+C%2B%2B+2022+X64+Additional+Runtime+-+14%2E36%2E32532", "Office+16+Click-to-Run+Licensing+Component", "Office+16+Click-to-Run+Ex

C:\Users\user\AppData\Local\FAST!\Temp\temp_settings

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	2.378705519319095
Encrypted:	false
SSDEEP:
MD5:	6E49DEDBAE5267A678892DC1DDD5DED3
SHA1:	12BA0BCE89E26D74FEFCF113285495D62E46BF4C
SHA-256:	7A25E57576ED40BEEEB25C8E4E089302CE4F4FC033DA6B1CB2D277F9D0B5D6D9
SHA-512:	0DC712BBA0AB5C740BE7DBCD5172774D00289779693C16BA0DB5CCC0ECF9D7B39C14FB5E38F976F63BCD154EB2324BDC7BA56E8F3AEBD41D4E867530C8852509
Malicious:	false
Preview:	1,2,64,0,0,0,2,5,256,1,1,1,1,2,64,0,0,0

C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe
File Type:	data
Category:	dropped
Size (bytes):	104857600
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	2F282B84E7E608D5852449ED940BFC51
SHA1:	2C2CECCB5EC5574F791D45B63C940CFF20550F9A
SHA-256:	20492A4D0D84F8BEB1767F6616229F85D44C2827B64BDBFB260EE12FA1109E0E
SHA-512:	2798503C2C7B718799324122137BF30A562AAD1BC04BBF343DAAD225A5FD0D1FD5D269843A01AB00D4F8D8C5AB34F8956065F9831EF7459E9C487E895099E956
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\65b11014-69a5-420c-8aac-e34fe2b771c5.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2828
Entropy (8bit):	5.632331844820449
Encrypted:	false
SSDEEP:
MD5:	8E8B855CB5D8F51751CF2AB9907879C6
SHA1:	E920FC457EF43D698B052E8AC6CE2CB47D973635
SHA-256:	BD31CD9465C75B4C9C8270ACF1426CDFE1D5ED83E9BB3A7560C62DEF53BE0545
SHA-512:	FEE4735A9CECCC0E55B2A289AE84D7AF2C251964057E58F8E75A61825941293DDE5C024EBCDB29C7460FE5DCBFDF4D668231B57E4BE635F5E17657C65B631C03
Malicious:	false
Preview:	{"browser":{"shortcut_migration_version":"119.0.6045.105"},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"policy":{"last_statistics_update":"13353012663671255"},"profile":{"info_cache":{"Default":{"active_time":1708539076.327369,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_26","background_apps":false,"force_signin_profile_locked":false,"gaia_id":"","is_consented_primary_account":false,"is_ephemeral":false,"is_using_default_avatar":true,"is_using_de

C:\Users\user\AppData\Local\FAST!\User Data\748992e5-07ed-4ae3-9cd8-55fb3686d198.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	5.7146325700273
Encrypted:	false
SSDEEP:
MD5:	A5FBF548C24ECC55226DF8C4E199BF4E
SHA1:	9588F2803BA96DAE9390DDBBC500A3DB25193213
SHA-256:	03AA75CD272EA32F023970BB14EC4069DC28CF6EB841256058F1787E6D769987
SHA-512:	209226C89A7635CCF0271AD426AF52AEB1AD248FCAD6FAAF17F965D9F15B99F0764179E496BB4D5A8127CC8FBCA0881ECFE10EE548F1140C756F17113AE9B7B0
Malicious:	false
Preview:	{"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"profile":{"info_cache":{},"profile_counts_reported":"13353012663539251","profiles_order":[]},"uninstall_metrics":{"installation_date2":"1708539063"},"user_experience_metrics":{"low_entropy_source3":1379,"pseudo_low_entropy_source":6902,"stability":{"browser_last_live_timestamp":"13353012663387633","stats_buildtime":"1683435600","stats_version":"119.0.6045.105-64-devel","system_crash_count":0}}}

C:\Users\user\AppData\Local\FAST!\User Data\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\BrowserMetrics\BrowserMetrics-65D63CB7-B30.pma

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 4232548513472365723648.000000
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.3770357881086603
Encrypted:	false
SSDEEP:
MD5:	93FD4FDCF959AAEB03C6C16218DF2384
SHA1:	2FD94A8BE4CF8080438F41D1B94E27E37223372F
SHA-256:	6AEF736C8272A552F84F610A53BACE742043364801813BAD4AC8E5BFD21F9A2E
SHA-512:	8CCE41797AD921D52D5BD5E42AED01E1539F5BDC2FD7E23F2FA6BF2612403A45EF23B1732F1E2AFA414F719453F8558D1C5649D3BEFE6D468D045400A9EF6154
Malicious:	false
Preview:	...@..@...@.....C.].....@...............h..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30....G.........119.0.6045.105-64-devel.....".en-GB*...Windows NT..10.0.190452l..x86_64..?........".ecdhsi20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J..m#:^...YJ..<..S...J?J....W....J?P.j....... .8.@...............................$8405bf97-c0d8-430e-ae98-ce1b870c5b63...5.....6.'D.I.V.bHA.7L..]..<..8...(...SyntheticOptimizationGuideRemoteFetching....Disabled.0..,.......HttpsFirstModeClientSetting.....Disabled.<..8...$...Segmentation_ChromeLowUserEngagement....Unselected...0..,.......Segmentation_SearchUser.....Unselected...4..0.......Segmentation_ShoppingUser.......Unselected...4..0.......Segmentation_CrossDeviceUser....Unselected...4..0.......Segmenta

C:\Users\user\AppData\Local\FAST!\User Data\CrashpadMetrics-active.pma

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.016296302463853506
Encrypted:	false
SSDEEP:
MD5:	8B4C106F9F716561A2C1852FE72F083F
SHA1:	EB51F839653B8B48A5023B88A95DDBA26AC87F9D
SHA-256:	C5995D12671B48B47F48DCEAC143FD27FF65C3022E5F1A9633822000ECCB4E1F
SHA-512:	969575132F091BB1AF969A10C211199A6F49663887F1F487089EB16FF373EF88FC6AA3A68EFC826D8B1EF4F558B7B81A34380B87AB1B9ACF48F6EBA1FF71AB8E
Malicious:	false
Preview:	...@....................@...............p...................`... ...i.y.........CrashpadMetrics.....i.y..Yd.X.......A.......e............,........5l....................5l..................UMA.PersistentAllocator.CrashpadMetrics.UsedPct.h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.........A...................V..>....?....{.................?....{.................UMA.PersistentAllocator.CrashpadMetrics.Errors.. ...i.y.[".........................i.y..Yd.........A..................._..-.....h-.....................h-....................Crashpad.HandlerLifetimeMilestone.......0...i.y.[".........................................i.y..Yd.@.......A...................V..>x.../.y.KO................../.y.KO..................Crashpad.ExceptionEncountered.......i.y..Yd.........A............................K..0.................K..0.................Crashpad.ExceptionCode.Win...... ...i.y........K..0............i.y.

C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\metadata

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.048083628516703
Encrypted:	false
SSDEEP:
MD5:	8983578CA899DDDEBD5884141784D6C4
SHA1:	949033957492FDFECEADC7D8ACF532FD13E7AAF2
SHA-256:	174D94F577B1142A290A260F757875BDF1D4EE3B8F205DA1703BAD1562705C76
SHA-512:	A70C2A23E4A92D1957823918B5B7B7FF93BA8CEB3C7A7D902F7A09B12677875E82ECCB88083BE0332555FE429EB8EE8DB89CD86CA5FDEBCAB10FAD198F802E6F
Malicious:	false
Preview:	DAPC............m..Lj5.F../...,X....)....<.e............................4cda8e6d-356a-46e0-b308-2f858ac12c58.dmp..

C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\reports\4cda8e6d-356a-46e0-b308-2f858ac12c58.dmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	Mini DuMP crash report, 13 streams, Wed Feb 21 18:11:03 2024, 0x200000 type
Category:	dropped
Size (bytes):	2171584
Entropy (8bit):	3.9046371859339644
Encrypted:	false
SSDEEP:
MD5:	07FFBBC8C7D8D4E7D45B9E2DDFC140EE
SHA1:	44668B20A3D1A5AA980892A99A81DFD64EA045DE
SHA-256:	CF6890B691BAF607021013C529DF27F87558E634BC29D052B33EDA0C5C714804
SHA-512:	E0607AA1518C3CA091777FD030FECDAA3053F72985067C64E3AE56B30799CCC410D64EA3E8997B3473FCA32ACA053D20259BC27637765730AC49A8318FBFFA22
Malicious:	false
Preview:	MDMP........ ........<.e.. .........8...........T...........T...X...........P...........8.......0"..........\...03....PC@...46...... ....:......PG..<.....kKG....]......4v..d^....kK%.......................eJ..............L.B.........................2.0.0.6.....T...G...0....<.e................................................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................W.i.n.d.o.w.s. .N.T. .1.0...0...1.9.0.4.5...2.0.0.6.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.254162526001658
Encrypted:	false
SSDEEP:
MD5:	125E335DFCAD659DB2EC5807E4C9E2C1
SHA1:	33DCB87162870DB09A21C14C4A4FE5B6E5AF34C8
SHA-256:	A19644A25C7F3E0D0497E24BF6C40AB0F7CA6BCCD754189314EB8A6FF41B90FD
SHA-512:	4D67C7C460ABC59615ACD61F9E0D4D4AEDB96DAF43A29FD0BBDB98D72F9E56AC8A02D33F51F5DF7F8815ECD99A11CFCC1081613C1A9F21C17E39030B5F7CDA7B
Malicious:	false
Preview:	sdPC.....................Tg.1[{N.P..."p

C:\Users\user\AppData\Local\FAST!\User Data\Default\05cec6f1-54fd-438f-8388-fde98d60a8cc.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4489
Entropy (8bit):	4.940028321011719
Encrypted:	false
SSDEEP:
MD5:	914748335639C40C8E272FDCE9CF40DA
SHA1:	C7ED91859BA9F0D8789F1BD1F9FA0E1306E6F4EE
SHA-256:	334FA1D02315D905C8233707B72172019BB108096B344518207C7A1DB5E63509
SHA-512:	65AE43F7D6C126B6102E01EE955B2743EA9A2A53AB703B1A94E2E6BD153889457084C693B3BCBCF6DCA19BEC1F2B549518088FB11161F8399461BCCB09D5B08D
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":119},"browser":{"has_seen_welcome_page":false,"window_placement_popup":{"bottom":717,"fullscreen":false,"left":240,"maximized":false,"right":1040,"top":267,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":

C:\Users\user\AppData\Local\FAST!\User Data\Default\196e34ab-1383-4499-b9b8-00745911ddee.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4165
Entropy (8bit):	4.920308515607982
Encrypted:	false
SSDEEP:
MD5:	8CC5FD4E2659E00F9313836691B790CE
SHA1:	1E6903D9D5E03DC707F61754A32FC3E7C83173C5
SHA-256:	3117873C574064E517B4F97E5D66D6E87B95E3B9223C1283D90F5D04D0F6EC0A
SHA-512:	AE47FF551C12905AF3644EB7ABB843842000CA2BAF08FDAC140809F22561BAF31DE11A494A48C33394C82C900450FEDD5FE5D09F961074482D8508E2EA0C045E
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":119},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_

C:\Users\user\AppData\Local\FAST!\User Data\Default\270c38a9-9a4b-48d5-a314-0eb8ef9c4a7d.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	151668
Entropy (8bit):	1.0550957398929903
Encrypted:	false
SSDEEP:
MD5:	728FE78292F104659FEA5FC90570CC75
SHA1:	11B623F76F31EC773B79CDB74869ACB08C4052CB
SHA-256:	D98E226BEA7A9C56BFDFAB3C484A8E6A0FB173519C43216D3A1115415B166D20
SHA-512:	91E81B91B29D613FDDE24B010B1724BE74F3BAE1D2FB4FAA2C015178248ED6A0405E2B222F4A557A6B895663C159F0BF0DC6D64D21259299E36F53D95D7067AA
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ .V....M..(............. .........................................................................................................................................................................................................................................................................................................................(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\4254e63f-53ad-4339-8da7-ca76590ba279.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4068
Entropy (8bit):	5.518624541150009
Encrypted:	false
SSDEEP:
MD5:	64E8F3210FE21582DC4FF6E629A1A484
SHA1:	EFE037AE96E4DCE6E0352DFB4B41CC5135506797
SHA-256:	85A29E98E025E75B1EABC190D6720E62216301755F51BF895E112DD5E822F051
SHA-512:	F4BFFA9ABB1B34D71636CE6062C537E6B9F9B1D48F92C867196F44E9AF0D5882F5707B3C4DE13049CA00E5739ABE2DB340ED952426D11EC0E5A7876FA02BA074
Malicious:	false
Preview:	{"extensions":{"settings":{"mhjfbmdgcfjbbpaeojofohoefgiehjai":{"active_permissions":{"api":["contentSettings","fileSystem","fileSystem.write","metricsPrivate","tabs","resourcesPrivate","pdfViewerPrivate"],"explicit_host":["chrome://resources/","chrome://webui-test/"],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13353012663852479","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13353012663852479","location":5,"manifest":{"content_security_policy":"script-src 'self' 'wasm-eval' blob: filesystem: chrome://resources chrome://webui-test; object-src * blob: externalfile: file: filesystem: data:","description":"","incognito":"split","key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN6hM0rsDYGbzQPQfOygqlRtQgKUXMfnSjhIBL7LnReAVBEd7ZmKtyN2qmSasMl4HZpMhVe2rPWVVwBDl6iyNE/Kok6E6v6V3vCLGsOpQAuuNVye/3QxzIldzG/jQAdWZiyXReRVapOhZtLjGfywCvlWq7Sl/e3sbc0vWybSDI2QID

C:\Users\user\AppData\Local\FAST!\User Data\Default\477ff2aa-de08-4d69-9f31-2085d60f462e.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\FAST!\User Data\Default\6327f78b-ac99-46cc-ae00-006c0f28458a.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.947520930810368
Encrypted:	false
SSDEEP:
MD5:	F2714BB2D67EE919C203DD9C3D6CC787
SHA1:	5AF410A02A2C103C81E40F099585B68F3EA2EA37
SHA-256:	55A5EE6449353D3A1F11BEB1150F78AFEC6A0CEC14C272381174ED2B0DEA659C
SHA-512:	3C76199EAE76856B9DD4A361DAD35D424FC167CE57F9B4CDFE90FE97509675E7DBA70FB46F6E6CAF849A45E425D1126F17403CB543CC69E3F4F9038A8C7FBE2B
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":119},"browser":{"has_seen_welcome_page":false,"window_placement_popup":{"bottom":717,"fullscreen":false,"left":240,"maximized":false,"right":1040,"top":267,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":

C:\Users\user\AppData\Local\FAST!\User Data\Default\82a995db-0373-4e30-8617-2fcfd3a97dbc.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4107
Entropy (8bit):	5.516074237692665
Encrypted:	false
SSDEEP:
MD5:	12E02BE2DF25CFB1714ED9782BD42619
SHA1:	F012BFF6E7029D5D94DDD5BE1C921D810C09E61D
SHA-256:	3EC68706142F08EEE348B171E0BD3E711E5EE46E4FF8FEE48562934346D616A1
SHA-512:	4E2D1A6D87433A413CD3DA66D532A1E524B13E85EFB58FE8865744FBBE6D0A33305876D0EBFF3A3B1CC8FE79774FEC679A2C8B265C6AF18B9DB32D9287A49ABF
Malicious:	false
Preview:	{"extensions":{"settings":{"mhjfbmdgcfjbbpaeojofohoefgiehjai":{"active_permissions":{"api":["contentSettings","fileSystem","fileSystem.write","metricsPrivate","tabs","resourcesPrivate","pdfViewerPrivate"],"explicit_host":["chrome://resources/","chrome://webui-test/"],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13353012663852479","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13353012663852479","location":5,"manifest":{"content_security_policy":"script-src 'self' 'wasm-eval' blob: filesystem: chrome://resources chrome://webui-test; object-src * blob: externalfile: file: filesystem: data:","description":"","incognito":"split","key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN6hM0rsDYGbzQPQfOygqlRtQgKUXMfnSjhIBL7LnReAVBEd7ZmKtyN2qmSasMl4HZpMhVe2rPWVVwBDl6iyNE/Kok6E6v6V3vCLGsOpQAuuNVye/3QxzIldzG/jQAdWZiyXReRVapOhZtLjGfywCvlWq7Sl/e3sbc0vWybSDI2QID

C:\Users\user\AppData\Local\FAST!\User Data\Default\8cb18855-567d-4c90-ae56-2a2b0ea514c4.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4561
Entropy (8bit):	4.944358971391033
Encrypted:	false
SSDEEP:
MD5:	033F9E55871D7BBAE1A1B5CEB960C6EF
SHA1:	C80F9DD266FF4A17905FF58FEE5305D4C3467932
SHA-256:	99F279E2D978137ABA5647550EFAF91BB86CD1CA461FF09E084FB57E4F15A4FD
SHA-512:	137E789E19BBB5FAC3F71C76DF7A5AE388A72FB03D6A3BD442FA6BBC03FE0A1C5E8B6FA578DF6D66C8D8C20712ECE3B6B05766F565D843AE62A877673B359889
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":119},"browser":{"has_seen_welcome_page":false,"window_placement_popup":{"bottom":717,"fullscreen":false,"left":240,"maximized":false,"right":1040,"top":267,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":

C:\Users\user\AppData\Local\FAST!\User Data\Default\Affiliation Database

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40014189446483467
Encrypted:	false
SSDEEP:
MD5:	00AF4A50B4E83413600C40BE126B17B1
SHA1:	D6C2AAC58F581C4EA3B45C997A922DD99B2396CD
SHA-256:	95A77058925FC8DC392E2A4CF51D60EE41FFA49967A6E3BD4F34EFE3F0473E0E
SHA-512:	8B95EE2EFCA34EFE82A7E53E3C9EF68B481F174A5545C6A0AF9BB104AB43EF9554E2FB439522D4308886A8B04C9BC912472E82AF1E0964A5CA89906F0C646A02
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....e...$.y.....Q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.974937393114874E-4
Encrypted:	false
SSDEEP:
MD5:	75A01831E6FF8A1D8C8CE03D217B408A
SHA1:	1B3B8773FF0F7F3DD7328AE7014B2CBC42C2E810
SHA-256:	784509BCF9ADF5A4C2D502768578F210C1E35BBB92EE69763C471C3FEE1672FE
SHA-512:	446B4B9A52ACFC945E76DE1D01B7CF1160E1CA537EA54EB4F17E87F2BF23C4D78122D49E647344DD69439E1037AF5836C9F39941F71806B2EFEB27CB2D30EB8D
Malicious:	false
Preview:	.........................................i..~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:
MD5:	E36061763DC9560745B0DE1FC7E8C75D
SHA1:	77CAF2CAE051A26970E4D2001D7953D98A26D959
SHA-256:	24900976F4E9A4BE14D159EA00384BACF8BDF7724A72A1747418A2F3A60D2285
SHA-512:	D294D4713E2FDF3410C569498955CB5198063DDC090B032AD7E013D0AA4F87210C757C79BF63CDDB546EF39CFF6B3C8139EC81F6B8B4F1A4B51EAA984DB2FF25
Malicious:	false
Preview:	(......roy retne..........................~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:
MD5:	E36061763DC9560745B0DE1FC7E8C75D
SHA1:	77CAF2CAE051A26970E4D2001D7953D98A26D959
SHA-256:	24900976F4E9A4BE14D159EA00384BACF8BDF7724A72A1747418A2F3A60D2285
SHA-512:	D294D4713E2FDF3410C569498955CB5198063DDC090B032AD7E013D0AA4F87210C757C79BF63CDDB546EF39CFF6B3C8139EC81F6B8B4F1A4B51EAA984DB2FF25
Malicious:	false
Preview:	(......roy retne..........................~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	32CF267335FEA2B86819E269C0C9E2E3
SHA1:	2D368D846D0137CD4DD42561E5BD022B932963FA
SHA-256:	70A91F6BB4FE8D8F5ADDFEEF57053DDA64D835418C2C763AC4B12352D52C205E
SHA-512:	471A6D9DB77A89652C30BD92EE0CF422E08DA256C33E91C69DB6FA5108E42F00A1A0764CE464A600CA7739478118A5DE12C5B322F3BBC151697DBBDA73E3CACE
Malicious:	false
Preview:	(......^oy retne.........................R..~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	32CF267335FEA2B86819E269C0C9E2E3
SHA1:	2D368D846D0137CD4DD42561E5BD022B932963FA
SHA-256:	70A91F6BB4FE8D8F5ADDFEEF57053DDA64D835418C2C763AC4B12352D52C205E
SHA-512:	471A6D9DB77A89652C30BD92EE0CF422E08DA256C33E91C69DB6FA5108E42F00A1A0764CE464A600CA7739478118A5DE12C5B322F3BBC151697DBBDA73E3CACE
Malicious:	false
Preview:	(......^oy retne.........................R..~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\DIPS

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4846813034978561
Encrypted:	false
SSDEEP:
MD5:	B0FDE8AC27613503068DCC24DBFD11FA
SHA1:	E3AC50E19E181A6363197838DD3EC5F241D31B36
SHA-256:	1F1DDF66AA4CFF9AB5BE2117171FD9FE54AEA6D6F8824B0C8451E92D6692EA4D
SHA-512:	CF40FB3D7D0F75826D20EA360CD822E7C384D4015C75E03ECA2EF77A7C50991781D17EDC2FCA56E701C3E21939FCF1E588FADEB1B81172F08A67F3EFE038CCC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	0C5823FB4D556B90114268757097102F
SHA1:	B07FB73138717B3B5D423D4F45132D10D7F15836
SHA-256:	121DF8FD385CAAE8F4C8DA77AFE2ECC73E595B9B6D4ABDF680B72B3C0D2649BA
SHA-512:	1EF4417D4D5F99F2597D77C6CBA103A3302098A1AB50F14DA9314668A71CFBC5ECB607CBC76B8150AFFBF0C698F17B1C58932B34ED3D6072C456D0CEFD8832D8
Malicious:	false
Preview:	........................................g..~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	76
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	CC4A8CFF19ABF3DD35D63CFF1503AA5F
SHA1:	52AF41B0D9C78AFCC8E308DB846C2B52A636BE38
SHA-256:	CC5DACF370F324B77B50DDDF5D995FD3C7B7A587CB2F55AC9F24C929D0CD531A
SHA-512:	0E9559CDA992AA2174A7465745884F73B96755008384D21A0685941ACF099C89C8203B13551DE72A87B8E23CDAAE3FA513BC700B38E1BF3B9026955D97920320
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	267
Entropy (8bit):	5.146311289519911
Encrypted:	false
SSDEEP:
MD5:	171160D160341E92672AEAA3AB68BDD8
SHA1:	F590A2A0CE95D69F2A4D95D8C15D867B6BE91F8C
SHA-256:	3E763A62E6E4300ADFA5E1BA6CA71CE9B9C3F8D1C0A6971AFD1BB170FB734EC5
SHA-512:	0E233666297409846C904FE3310FA0943BDABDAF15534431F9C989A815F1D825E01D667249B1868B249246FEFE42248ECF26BB39E6612913F81BCEA4112F569E
Malicious:	false
Preview:	2024/02/21-19:11:06.068 bac Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules since it was missing..2024/02/21-19:11:06.627 bac Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	51A2CBB807F5085530DEC18E45CB8569
SHA1:	7AD88CD3DE5844C7FC269C4500228A630016AB5B
SHA-256:	1C43A1BDA1E458863C46DFAE7FB43BFB3E27802169F37320399B1DD799A819AC
SHA-512:	B643A8FA75EDA90C89AB98F79D4D022BB81F1F62F50ED4E5440F487F22D1163671EC3AE73C4742C11830214173FF2935C785018318F4A4CAD413AE4EEEF985DF
Malicious:	false
Preview:	.f.5................f.5...............

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	271
Entropy (8bit):	5.162031144747649
Encrypted:	false
SSDEEP:
MD5:	CCAD4E896963BC8FE648B0274AD2B64B
SHA1:	E135906666A0B899AD6432B1F233A5B0E64C5184
SHA-256:	4EE45E55960C5AF6E3FA04501EAF1DEA72AF8D9518B945CC22C714E6B98D3CFD
SHA-512:	6BF2DF3D0472A5277FD0C4019DC05873DFF60B6D33E81941A64E4C8C118C7B2B7AD245C06A392BD2D4B2E359C861289706F06EDAD254EAAE5D872954A362DB79
Malicious:	false
Preview:	2024/02/21-19:11:06.756 bac Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts since it was missing..2024/02/21-19:11:06.897 bac Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	891A884B9FA2BFF4519F5F56D2A25D62
SHA1:	B54A3C12EE78510CB269FB1D863047DD8F571DEA
SHA-256:	E2610960C3757D1757F206C7B84378EFA22D86DCF161A98096A5F0E56E1A367E
SHA-512:	CD50C3EE4DFB9C4EC051B20DD1E148A5015457EE0C1A29FFF482E62291B32097B07A069DB62951B32F209FD118FD77A46B8E8CC92DA3EAAE6110735D126A90EE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	267
Entropy (8bit):	5.1357339853563015
Encrypted:	false
SSDEEP:
MD5:	3837309D6109F2771A52629FE8079861
SHA1:	E07DF408E6FEA4B20B891F5D6BAC153DA7E8FF7B
SHA-256:	B3576CD369BE43D355E0BBD923EFFF94F676BD6CEB6EB08C5B944EA34CD15258
SHA-512:	2C0364039A8177DA4416433B465B8C604197AEBA51A2FE2C622A4983BE73994BF56EF72477731FF2ADC7EF6C44635E824C3260C3844037A4C6764BED22C28C0C
Malicious:	false
Preview:	2024/02/21-19:11:07.283 bac Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State since it was missing..2024/02/21-19:11:08.768 bac Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\FAST!\User Data\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:
MD5:	AB8FECBF94AC8CCF1240BC7ED31DD961
SHA1:	9FC9A03E78100CB5A7231776F4D539C710E370AE
SHA-256:	FC725E7D1791101C0D31986852AA6C43BA171923517FA849AB42ADEE9B89D9A2
SHA-512:	753C04BD539AC8D4AC6D834A56F4A290FE0FA5075136AF6677728A948644497358BF666367B52A71BEE58D8787C366E8ABCD1FD5249F61CE4FCC76F6B20A5163
Malicious:	false
Preview:	........................................./.~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Google Profile.ico (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	151668
Entropy (8bit):	1.0550957398929903
Encrypted:	false
SSDEEP:
MD5:	728FE78292F104659FEA5FC90570CC75
SHA1:	11B623F76F31EC773B79CDB74869ACB08C4052CB
SHA-256:	D98E226BEA7A9C56BFDFAB3C484A8E6A0FB173519C43216D3A1115415B166D20
SHA-512:	91E81B91B29D613FDDE24B010B1724BE74F3BAE1D2FB4FAA2C015178248ED6A0405E2B222F4A557A6B895663C159F0BF0DC6D64D21259299E36F53D95D7067AA
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ .V....M..(............. .........................................................................................................................................................................................................................................................................................................................(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Google Profile.ico~RF65ab38.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	151668
Entropy (8bit):	1.0550957398929903
Encrypted:	false
SSDEEP:
MD5:	728FE78292F104659FEA5FC90570CC75
SHA1:	11B623F76F31EC773B79CDB74869ACB08C4052CB
SHA-256:	D98E226BEA7A9C56BFDFAB3C484A8E6A0FB173519C43216D3A1115415B166D20
SHA-512:	91E81B91B29D613FDDE24B010B1724BE74F3BAE1D2FB4FAA2C015178248ED6A0405E2B222F4A557A6B895663C159F0BF0DC6D64D21259299E36F53D95D7067AA
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ .V....M..(............. .........................................................................................................................................................................................................................................................................................................................(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\History

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 40, cookie 0x21, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.562943866245377
Encrypted:	false
SSDEEP:
MD5:	530FEDE1A0851AC27708DD56E0AEF91E
SHA1:	56F7ACC11BECB3C2BA5A856F1F5563C454E6F99C
SHA-256:	CB96E870B209DC45A04573C45F1B92DE36A006EAD8EF841C79E0D97BDC99F9B6
SHA-512:	0AF7FAA8EE1175B8C8C418BE7A3A9A75022573E731824A1C26F962BD7BBDBB67ED35005DC80592B674107A5C3853A461797BC0400B1E8D53C65D0047600E36E8
Malicious:	true
Preview:	SQLite format 3......@ .......(...........!......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21824747255171947
Encrypted:	false
SSDEEP:
MD5:	5C1F348A95D3C21D3E12634D4E99EC72
SHA1:	6000FAE7DCA2A2D7A203919558E162C9D211DFE0
SHA-256:	6E848221C6B701D9743F1B526AD37F187572A9FF9A374409260701C6351D25D7
SHA-512:	6FB427D86B33FEFCC0B36BDE79099F0C13BEEE56A3E575A3DC004FF0DF1714C499A739516EFAE74126744B41A3BFAAE87CDCA5C4461A08FE5A0F615063220B95
Malicious:	false
Preview:	............Quh....(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	281
Entropy (8bit):	5.137069007667804
Encrypted:	false
SSDEEP:
MD5:	0F6E3A5D6B5C4623CC60861E1F2B361D
SHA1:	DAD4D497BAA62C2A6B62849B586FC0D6469C0E99
SHA-256:	50119569D0493225539A5BBB547ECAEF7CD9427063F3064080CFB6880D17AA8B
SHA-512:	448505B3D269715C4ED3D90943DE4ADE5BF1B87F0E84C70E5A2570D31A7044E28C80BCE15835B7554B0D053316200B845838488556A1A2661563931F79CFC1E4
Malicious:	false
Preview:	2024/02/21-19:11:08.871 1e80 Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb since it was missing..2024/02/21-19:11:09.125 1e80 Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553812935198943
Encrypted:	false
SSDEEP:
MD5:	A1877CA6FEF34566AF96AF105F154DEE
SHA1:	8DF5BEE9F7E2ECE02F854056A3CC1DFDADC7A298
SHA-256:	BA40B8EB55AEAF252FD740BFED6B2C99B057110F9FE1F684C9694EC0B7BD80F0
SHA-512:	D82F9FA88583B07DF5309086056BAB6308304DD4F75F63CA8E769A9938F4FCC8214EFC1F7AAD78DD437121E1E32829E25E0C2259C28CEA385DC0F5A9BA1D9E69
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Login Data For Account

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553812935198943
Encrypted:	false
SSDEEP:
MD5:	A1877CA6FEF34566AF96AF105F154DEE
SHA1:	8DF5BEE9F7E2ECE02F854056A3CC1DFDADC7A298
SHA-256:	BA40B8EB55AEAF252FD740BFED6B2C99B057110F9FE1F684C9694EC0B7BD80F0
SHA-512:	D82F9FA88583B07DF5309086056BAB6308304DD4F75F63CA8E769A9938F4FCC8214EFC1F7AAD78DD437121E1E32829E25E0C2259C28CEA385DC0F5A9BA1D9E69
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\32e0d933-7fe4-4ef1-b073-adde77dbea25.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\38bc4182-c85c-4597-95c6-3c74b074f1b0.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\8fd2b03c-eb93-4d87-bbcb-55834a5bf4e4.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	5.3181924557373685
Encrypted:	false
SSDEEP:
MD5:	E226BC58BED3388C72B8717E5BD1CB3F
SHA1:	1481BC255216ACE64078557788180501602F0EBA
SHA-256:	A0624918DFC0DF69D569F66347B708F067BF037EE70EAB7125486134339B2F07
SHA-512:	22E2A8F4934952FE09A875C3337068D5418BD342A0B1E8F55C1BF9A4C3D2FF53C717F70FAA63AFCCE3191FC1C01AC7F107AE8F5C7914ABBA8E62450ABEC383D3
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13355604688922729","port":443,"protocol_str":"quic"}],"anonymization":["MAAAACsAAABodHRwczovL29wdGltaXphdGlvbmd1aWRlLXBhLmdvb2dsZWFwaXMuY29tAA==",false],"server":"https://optimizationguide-pa.googleapis.com"}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State~RF66d39b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\FAST!\User Data\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences~RF65eff2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences~RF662da7.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences~RF667501.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences~RF66b0c1.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\Preferences~RF66eaae.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\FAST!\User Data\Default\README

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.273886413532386
Encrypted:	false
SSDEEP:
MD5:	44028E0E05F8498268AA16B5D1BF19FF
SHA1:	1C241C407F2903727920B5069C4582F5D33369C8
SHA-256:	2952D4AD35DC8E19F3D10CEFA90B832EB3923B88C472A22F6FD57D4A5CF84E74
SHA-512:	A8F677CFB8EB25A8A8287AB2ADCF72932FF9AEBFC54EACF55034342BFFA10A212C487B11895C005605737569C24800F5EA82AA9A3FDAED10FD084E897A8FF2C4
Malicious:	false
Preview:	nwjs settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through nwjs defined APIs.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4068
Entropy (8bit):	5.518624541150009
Encrypted:	false
SSDEEP:
MD5:	64E8F3210FE21582DC4FF6E629A1A484
SHA1:	EFE037AE96E4DCE6E0352DFB4B41CC5135506797
SHA-256:	85A29E98E025E75B1EABC190D6720E62216301755F51BF895E112DD5E822F051
SHA-512:	F4BFFA9ABB1B34D71636CE6062C537E6B9F9B1D48F92C867196F44E9AF0D5882F5707B3C4DE13049CA00E5739ABE2DB340ED952426D11EC0E5A7876FA02BA074
Malicious:	false
Preview:	{"extensions":{"settings":{"mhjfbmdgcfjbbpaeojofohoefgiehjai":{"active_permissions":{"api":["contentSettings","fileSystem","fileSystem.write","metricsPrivate","tabs","resourcesPrivate","pdfViewerPrivate"],"explicit_host":["chrome://resources/","chrome://webui-test/"],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13353012663852479","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13353012663852479","location":5,"manifest":{"content_security_policy":"script-src 'self' 'wasm-eval' blob: filesystem: chrome://resources chrome://webui-test; object-src * blob: externalfile: file: filesystem: data:","description":"","incognito":"split","key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN6hM0rsDYGbzQPQfOygqlRtQgKUXMfnSjhIBL7LnReAVBEd7ZmKtyN2qmSasMl4HZpMhVe2rPWVVwBDl6iyNE/Kok6E6v6V3vCLGsOpQAuuNVye/3QxzIldzG/jQAdWZiyXReRVapOhZtLjGfywCvlWq7Sl/e3sbc0vWybSDI2QID

C:\Users\user\AppData\Local\FAST!\User Data\Default\Secure Preferences~RF65ee9a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4068
Entropy (8bit):	5.518624541150009
Encrypted:	false
SSDEEP:
MD5:	64E8F3210FE21582DC4FF6E629A1A484
SHA1:	EFE037AE96E4DCE6E0352DFB4B41CC5135506797
SHA-256:	85A29E98E025E75B1EABC190D6720E62216301755F51BF895E112DD5E822F051
SHA-512:	F4BFFA9ABB1B34D71636CE6062C537E6B9F9B1D48F92C867196F44E9AF0D5882F5707B3C4DE13049CA00E5739ABE2DB340ED952426D11EC0E5A7876FA02BA074
Malicious:	false
Preview:	{"extensions":{"settings":{"mhjfbmdgcfjbbpaeojofohoefgiehjai":{"active_permissions":{"api":["contentSettings","fileSystem","fileSystem.write","metricsPrivate","tabs","resourcesPrivate","pdfViewerPrivate"],"explicit_host":["chrome://resources/","chrome://webui-test/"],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13353012663852479","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13353012663852479","location":5,"manifest":{"content_security_policy":"script-src 'self' 'wasm-eval' blob: filesystem: chrome://resources chrome://webui-test; object-src * blob: externalfile: file: filesystem: data:","description":"","incognito":"split","key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN6hM0rsDYGbzQPQfOygqlRtQgKUXMfnSjhIBL7LnReAVBEd7ZmKtyN2qmSasMl4HZpMhVe2rPWVVwBDl6iyNE/Kok6E6v6V3vCLGsOpQAuuNVye/3QxzIldzG/jQAdWZiyXReRVapOhZtLjGfywCvlWq7Sl/e3sbc0vWybSDI2QID

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sessions\Session_13353012674080104

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	2791
Entropy (8bit):	3.285391280050229
Encrypted:	false
SSDEEP:
MD5:	3BB5D15203D74FA9DB092A265198D1E3
SHA1:	12E9691684BB161712951C893B8F6222D1C53ADA
SHA-256:	DE22E019B254F6A08390D3AC377F6318BA54B70559DBA81D37DF4E2C6DC8FD88
SHA-512:	875DE291B4EE118CBD2D488F54FDB3EE12C8602C47B491D6D6B04874651392DAB72EB54547A9F5F57CB742CEF7D9049D639EF060E95BB2E9866B5BF2F5D96BC7
Malicious:	false
Preview:	SNSS..........q....5..0......q&..._nwjs_npaimmhhjcfhbdogdfcmlldgglpldhbm............q...... ...q..........q..........q....!.....q..................................q...q1..,......q$...f81d41f4_c2ca_45d9_9111_2c5d81c4524a......q..........q.....\..~p/..........q..............q....>...chrome-extension://npaimmhhjcfhbdogdfcmlldgglpldhbm/index.html..............!.........................................................................................................^@......^@....P.......h...............`...........................................................>...c.h.r.o.m.e.-.e.x.t.e.n.s.i.o.n.:././.n.p.a.i.m.m.h.h.j.c.f.h.b.d.o.g.d.f.c.m.l.l.d.g.g.l.p.l.d.h.b.m./.i.n.d.e.x...h.t.m.l.....................................8.......0.......8....................................................................... .......................................................P...$...1.a.8.3.b.d.6.7.-.4.a.e.4.-.4.f.c.f.-.a.a.1.1.-.f.b.5.f.c.a.9.e.d.4.a.a.................P...$...4.3.c.8.c.2.1.d.-.2.3.c.2.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Shared Dictionary\cache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Shared Dictionary\cache\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	BF68094C7861F83C3099B4BD55E0917B
SHA1:	24198323EAEBA44011BEE3A14CFDD45444703107
SHA-256:	14CBFEAF2CF9E9A5A855A381F6DD3954C8D9BB67C26D7D4B85F749FB3970982A
SHA-512:	E66182A717576D965BED78BE9FE867DF4C1E0312837C353783FFF4C204F94CE2242EC069F601AD32551924141BBDF9DD518C9331E01814A91EE7F543CB0DA82D
Malicious:	false
Preview:	(......oy retne.........................a..~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Shared Dictionary\cache\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	BF68094C7861F83C3099B4BD55E0917B
SHA1:	24198323EAEBA44011BEE3A14CFDD45444703107
SHA-256:	14CBFEAF2CF9E9A5A855A381F6DD3954C8D9BB67C26D7D4B85F749FB3970982A
SHA-512:	E66182A717576D965BED78BE9FE867DF4C1E0312837C353783FFF4C204F94CE2242EC069F601AD32551924141BBDF9DD518C9331E01814A91EE7F543CB0DA82D
Malicious:	false
Preview:	(......oy retne.........................a..~p/.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Shared Dictionary\db

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 9, database pages 11, cookie 0x8, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40813221339801603
Encrypted:	false
SSDEEP:
MD5:	7C86C0A51A889FEF2886135262FBB1ED
SHA1:	C19182B0AE7F8CDDCC5F835EB01C93C4B5A7BE8E
SHA-256:	E8E1A6894109AF2955E1C6DE54921452C926058576CEF56AE654A357404FCBD9
SHA-512:	0A9580D95CFF5F6E9C16651331BBA41FD7CAB2AAAE027B69498763F25CF6DF91E0E527A2735566A92D63C63CE62E2069B1760C241A11C07F904C84071121F352
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....~.........Z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.0430381641576
Encrypted:	false
SSDEEP:
MD5:	40FE419F2994034DEC3E1081CA0D4860
SHA1:	AEAA052ED39F75EBF71EC28062E3B626E7484C4F
SHA-256:	23F8ED9B3FC9CA2B9E2CFBE23D9F5A5D8A3F48AB0ADA745D46CD1F6C5D9F6B8E
SHA-512:	E51E886B3A20E4B1ACE49177A4F3059C90AA75CEC4087894CA99996963FC551997964DB244F2BCE70479D15AB71143A55601AF7D310FB2A63B48D7B5E5E363CB
Malicious:	false
Preview:	2024/02/21-19:11:03.828 13ac Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database since it was missing..2024/02/21-19:11:06.626 13ac Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	273
Entropy (8bit):	5.136114031367578
Encrypted:	false
SSDEEP:
MD5:	93001DE0C633F3EAF76D13FD655ED955
SHA1:	89A224208EA21C9266C7EB23A5483D9D5CCCF7ED
SHA-256:	04AE7C599B4B1337D3CA3BB8EE854BA52083C4CCCE683320B163157258ED0D57
SHA-512:	15CA607C2E6309D997398E489A43283C6B5B1079957A71C5D4A6EB5A6EC57D0FDC9375107CEEF08C2CCE1DF3476BC14826C0D5D20433AB4809BE92AF70A9AD12
Malicious:	false
Preview:	2024/02/21-19:11:03.844 11f0 Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB since it was missing..2024/02/21-19:11:06.629 11f0 Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.375597039055199
Encrypted:	false
SSDEEP:
MD5:	8C7D45D642EABC72A37E8C4D1ABAD65E
SHA1:	BFFA29FD9A30F53336F987FEC4CDF0788ABE20C1
SHA-256:	270E8A34810ED611D970F37CF72528AAF45456718F50D4077889637374685A84
SHA-512:	28C2BF727A15D11DBEC3C54CF1A7CCAF1ED59C4DC52914D73DF93E5F496C267922AA866B99F06BA295EC7C75084EA6632C0E2C2CDB0474281559EC152A670407
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.0033616753448762224
Encrypted:	false
SSDEEP:
MD5:	F35BBAEBE2F85EB128CF2B990AC3C2E7
SHA1:	A3DDD6531EDEA699885277CC35B51289549D949C
SHA-256:	1565892A34FB5A01289B8A40D4074EBB86ED1CAA7104ADAAD03E53E15760873C
SHA-512:	3CB31D8CFEC7FAC3781021D1FDDA74ACB5D6ED2D3BAD55EE618234A15AA811F6981AF6F1A69DC3517929542F1851F2452F8688EC6798EC44A7F873E31C729D54
Malicious:	false
Preview:	VLnk.....?.......=c....8................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Web Applications\_nwjs_npaimmhhjcfhbdogdfcmlldgglpldhbm\52f427e5-7a64-4d48-a621-b82ca2f7934f.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 9 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	28134
Entropy (8bit):	4.6192880827651255
Encrypted:	false
SSDEEP:
MD5:	7649A1AD4DAB9AF22FB0DC10A3387AC3
SHA1:	80505EB7619536E8AA806AE38A82F26671FF4E16
SHA-256:	4BB154D3011F21F0032B2657AD61C49A0954C26AB5BAEF20469D986681A8FF50
SHA-512:	6432268B7A2431F385E2465FA9E4F9DFC81F3F912521BC498158EA6C5DE4746EF46E1CB766D63B6930BC7FBD2F90B71193A0A1C205FE5BB81EC8DC4C4C26EB96
Malicious:	false
Preview:	............ .H............. ............... .p............. .h............. ............... ......... .... .........((.... .h....-..00.... ..%..>H..(............. ............................=...zb...Tl.[w.~...............\f...}.......\z..k..&...............}...........p..B........Zt............................[u.~\y..............................y..&...E..........t........r............................`\|.........................gd...Vr..................................(............. .............................~..c...%....e~..`\|.u...................Ep...c.....Tk...Qp.....<................n...T...............]u.....@..............0....Zt.........................e~.j..........................x........a{.vRo.............................m...........;d...............rT................................x...........................@..............[........Ol..Wt..................................[x..^\|..........................................(............. ...........................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Web Applications\_nwjs_npaimmhhjcfhbdogdfcmlldgglpldhbm\FAST!.ico (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 9 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	28134
Entropy (8bit):	4.6192880827651255
Encrypted:	false
SSDEEP:
MD5:	7649A1AD4DAB9AF22FB0DC10A3387AC3
SHA1:	80505EB7619536E8AA806AE38A82F26671FF4E16
SHA-256:	4BB154D3011F21F0032B2657AD61C49A0954C26AB5BAEF20469D986681A8FF50
SHA-512:	6432268B7A2431F385E2465FA9E4F9DFC81F3F912521BC498158EA6C5DE4746EF46E1CB766D63B6930BC7FBD2F90B71193A0A1C205FE5BB81EC8DC4C4C26EB96
Malicious:	false
Preview:	............ .H............. ............... .p............. .h............. ............... ......... .... .........((.... .h....-..00.... ..%..>H..(............. ............................=...zb...Tl.[w.~...............\f...}.......\z..k..&...............}...........p..B........Zt............................[u.~\y..............................y..&...E..........t........r............................`\|.........................gd...Vr..................................(............. .............................~..c...%....e~..`\|.u...................Ep...c.....Tk...Qp.....<................n...T...............]u.....@..............0....Zt.........................e~.j..........................x........a{.vRo.............................m...........;d...............rT................................x...........................@..............[........Ol..Wt..................................[x..^\|..........................................(............. ...........................

C:\Users\user\AppData\Local\FAST!\User Data\Default\Web Applications\_nwjs_npaimmhhjcfhbdogdfcmlldgglpldhbm\FAST!.ico.md5

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:
MD5:	C8EB2C4BEC8226D567DBE9DFB508DA7C
SHA1:	B4089FB427D35068F8824AC78867FFAACA200DBE
SHA-256:	768E68A4AD1333A64352F7199CBB54C5F797E70E4ACCDB86829EB98272603A23
SHA-512:	5CBFE5915112A6DD803A63F42A34643A524FF7F3E7D8299636BA25F83228B7CECCDCADE9B82D0E2E5D9A96A401B857DE2B25F2468D8C418F577764F3BD02D688
Malicious:	false
Preview:	...b......Yt=W..

C:\Users\user\AppData\Local\FAST!\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 55, cookie 0x22, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	1.126566293396027
Encrypted:	false
SSDEEP:
MD5:	815B48F8D7FA8FF17E56C01805DACC40
SHA1:	67D76324A2D62CD3894B1B34A499CEF84684E2BC
SHA-256:	9DC6BD334749B86FA771E816873355318231D99EE66AC38B66AD43E1E3E2C507
SHA-512:	EF068016555F2623A3CE5422E82364290075C1B127045F662B5619635F2668977B1FFB6B987A45B1ACE24EDEF377E0D863789007809A69A421E87B469751A241
Malicious:	false
Preview:	SQLite format 3......@ .......7..........."......................................................j............2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\WebStorage\QuotaManager

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.41235120905181716
Encrypted:	false
SSDEEP:
MD5:	981F351994975A68A0DD3ECE5E889FD0
SHA1:	080D3386290A14A68FCE07709A572AF98097C52D
SHA-256:	3F0C0B2460E0AA2A94E0BF79C8944F2F4835D2701249B34A13FD200F7E5316D7
SHA-512:	C5930797C46EEC25D356BAEB6CFE37E9F462DEE2AE8866343B2C382DBAD45C1544EF720D520C4407F56874596B31EFD6822B58A9D3DAE6F85E47FF802DBAA20B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\a2c7fbb8-0052-4e07-ba37-89145c9322d3.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3844
Entropy (8bit):	4.905515270045811
Encrypted:	false
SSDEEP:
MD5:	552199E7DDAA49A9E09D85FF4DD7A156
SHA1:	8670408E6579C734DB24340F240BA45B76EB00B3
SHA-256:	5466820D5AE814C256E860279DE997398D841624E337D4196B677831185AACFC
SHA-512:	296FF6D322D0C1B73454450967A5F8E1198FA8F495A1DFFE7A01518FED63807700B8B085B877833A344AEB92EF307CA3E939ED940F1326642A04C46DE3B7B7A3
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"browser":{"has_seen_welcome_page":false},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":{}}},"media":{"engagement":{"schema_version":5}},"media_router":{"receiver_id_hash_token":"je4SZefLPzZWxwmTcykwqGrIBgMC8VRMyJPNVRgkE0umU9ug9y/yjxSQrF+62N3bJER3rzAwhLv3T3hz2R8EhA=="},"ntp":{"num_personal_suggestions":1},"optimization_guide":{"previ

C:\Users\user\AppData\Local\FAST!\User Data\Default\b4d7cb59-4fb5-44dd-b820-ed37c16b2888.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	5031
Entropy (8bit):	5.1270765812851105
Encrypted:	false
SSDEEP:
MD5:	1EC7E71E8D5B348FB741EEE39CA8A6C6
SHA1:	4985D6AFA460BDBB7BC69232BB1EFFE54F2469F5
SHA-256:	0A2D328613B2962C277E011CB73550DEC3E041A88B9D16B4942B7139E9DE9108
SHA-512:	63130FA3DEC4BE02B0FAFBB93B1EA9C16191E5A7C13F136B92A32E961D092EC5C19C8F140E204757131BD3C4E769AD436CBB6D3992B0337A65C27FB63C40E822
Malicious:	false
Preview:	{"account_tracker_service_last_update":"13353012666781323","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13353012663851491","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":119},"browser":{"has_seen_welcome_page":false,"window_placement_popup":{"bottom":717,"fullscreen":false,"left":240,"maximized":false,"right":1040,"top":267,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":17224,"dips_timer_last_update":"13353012670950369","domain_diversity":{"last_reporting_timestamp":"13353012666781441"},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"119.0.6045.105"},"gcm":{"product_category_for_subtypes":"com.nwjs.windows"},"google":{"services":{"consented_to_sync":false,"signin_scoped_device_id":"5ffe6ba7-9d9f-4bb4-ad1c-3000f808658c"}},"invalidation":{"per_sender_topics_to_handler":{"1013309121859":

C:\Users\user\AppData\Local\FAST!\User Data\Default\databases\Databases.db

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.3410017321959524
Encrypted:	false
SSDEEP:
MD5:	98643AF1CA5C0FE03CE8C687189CE56B
SHA1:	ECADBA79A364D72354C658FD6EA3D5CF938F686B
SHA-256:	4DC3BF7A36AB5DA80C0995FAF61ED0F96C4DE572F2D6FF9F120F9BC44B69E444
SHA-512:	68B69FCE8EF5AB1DDA2994BA4DB111136BD441BC3EFC0251F57DC20A3095B8420669E646E2347EAB7BAF30CACA4BCF74BD88E049378D8DE57DE72E4B8A5FF74B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....P....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\eadd16b4-0c15-4e59-bb78-8d0ca4dad53e.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	151668
Entropy (8bit):	1.0550957398929903
Encrypted:	false
SSDEEP:
MD5:	728FE78292F104659FEA5FC90570CC75
SHA1:	11B623F76F31EC773B79CDB74869ACB08C4052CB
SHA-256:	D98E226BEA7A9C56BFDFAB3C484A8E6A0FB173519C43216D3A1115415B166D20
SHA-512:	91E81B91B29D613FDDE24B010B1724BE74F3BAE1D2FB4FAA2C015178248ED6A0405E2B222F4A557A6B895663C159F0BF0DC6D64D21259299E36F53D95D7067AA
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ .V....M..(............. .........................................................................................................................................................................................................................................................................................................................(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	modified
Size (bytes):	5747
Entropy (8bit):	6.5303090055789
Encrypted:	false
SSDEEP:
MD5:	F66DC890E6E0AF01289415864E92B7C4
SHA1:	874E97117A58269B708D7062B08C23EA3D3684CD
SHA-256:	C2A28E8316F6A0EE486DDDC25508336D1353D6AB62F5C34B704B6BB9078D7E44
SHA-512:	F34C62A553859653A03E2AA46B568C42BFB30D301EBB4DEEA86BAFC786AB36FB6BAA3FACF655F6BF8A242B7056F6D5649B167477115B7C2CDF1CD6BB51AF7F18
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f.................VM.................37_DEFAULT_16v...h.... .(.0.R.(....Session.TotalDuration.T<.A..GO .(.0.../.'.%....?..ChromeLowUserEngagement..Other...... .(...10....h.................37_DEFAULT_21........... .(.0.RZ.X...CCommerce.PriceDrops.ActiveTabNavigationComplete.IsProductDetailPage.w.cG$.. .(.0.8.R9.7...$Autofill_PolledCreditCardSuggestions...c..vP. .(.0...$........?..ShoppingUser..Other...... .(...10...eV.................37_DEFAULT_23........... .(.0.RH.F...1Omnibox.SuggestionUsed.ClientSummarizedResultType.q/.v.g:` .(.0.8.h...8.0........?..Low......@..Medium......A..High..None...... .(...10.....................37_DEFAULT_27........... .(.0.R=.;...."%..wait_for_device_info_in_seconds..60.SyncDeviceInfoh.p...t.r.p....AndroidPhone..IosPhoneChrome..AndroidTablet..IosTablet..Desktop..Other..SyncedAndFirstDevice..NotSynced....= .(...10.2.v.6................37_DEFAULT_1001............ .(.0.R+.)....Sync.Devic

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	267
Entropy (8bit):	5.186062873270681
Encrypted:	false
SSDEEP:
MD5:	D81FCB012533BC2CE8AE338384209947
SHA1:	DA402A64A0699282E4B06342E119A293AE4AC591
SHA-256:	B3A1DFCB39735E14496EEFB8C77520505D2A30A15D291DEA505A7503C7E48990
SHA-512:	39D2C1B7551791EFC460F335FCDAE9C9AFDC3BED055B50C633FC94404CFA7CA889119D7F4B6A736DEFFCA176DA915DDAF03FB114C83D049E6BEA6BC90C5B49C4
Malicious:	false
Preview:	2024/02/21-19:11:08.894 190 Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db since it was missing..2024/02/21-19:11:08.921 190 Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	903
Entropy (8bit):	3.9850904581808226
Encrypted:	false
SSDEEP:
MD5:	51F64FE557AFA80A98D48F0D7F341192
SHA1:	E959862C3F9B7F4D22EB03202D7FD85171FC60DC
SHA-256:	7A03584D94E96559505D4C79A37BB6F369987417899B3C2F61BE2C804F0F5DB4
SHA-512:	993AD66D55FC1811A5AB243CAB69512EE61570034D2CE2614D6B26B066B012A43610AECBF605E35A6DA04699CBE0F4B585255534D6FFEF341DC4FAF1653D206B
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .\....................49_.....a....................48_......F...................44_......G&..................33_.......Z..................44_......(.O.................49_......@G..................48_.....Jp...................33_......x...................41_......5[r.................41_........_.................20_.....L}...................19_......dp?.................37_....."xO..................38_.....?.b.................39_.....y..-.................3_.....V.1..................4_......w.\|.................20_..........................20_....."..o.................19_..........................37_.....J....................38_.....7.9..................39_.......4..................3_........k.................4_......Y.W.................21_..........................21_......U..................9_..........................9_.....

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.179143484559683
Encrypted:	false
SSDEEP:
MD5:	5011199300636DEA51F831245C58C616
SHA1:	1E82477013845B6351529517AFF6A73249EB0FEB
SHA-256:	864758F2098A4FEC1A39B657379654CBE03BF16829D6EB0109C228437EF66CD9
SHA-512:	899B66F5F86D760DE1FC1E3C07A836A7C43E14BD1C2581937930E54A7C937FA72063E74EF6A9069FE705A1788431FBE8E9860908910FC529537F9C912BA258C3
Malicious:	false
Preview:	2024/02/21-19:11:06.807 190 Creating DB C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata since it was missing..2024/02/21-19:11:07.479 190 Reusing MANIFEST C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\FAST!\User Data\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	699C3E954089588A94CE63E5A3D59DEF
SHA1:	ADDED6335C6FE0A1E9E4349B92DF786FF487F72E
SHA-256:	E0A2E2A23FD1F9DF3840397750567163C7ADB64690E7CA20EC08883316F83FC1
SHA-512:	0E618C06D488A3F4B176E100A0958C2D57C68DE255B587B1AAC8D27F85EF82E0D1FDB8A19551D91B99641B65296D61A98EEDA4760FC08BBC613382E803E061B7
Malicious:	false
Preview:	..........................................~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	97F478389D0C9B7DEB597DA10D4BEA3F
SHA1:	7E6CE0C1F98608BFC09E029F6E76EACC73D8F8E6
SHA-256:	D9D95510DEF95F31C420B2AB3606DE404C990D39814645A1945962179166EECD
SHA-512:	4BED375A27015F01557EB028551C6850D0E62FCAB3F2913F357FFE0600FE5459E5849A1DC1E9F3C8E966C6D0E3144016B34FC9092760E814B389163BE5C26226
Malicious:	false
Preview:	.........................................,.~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.267091859889593
Encrypted:	false
SSDEEP:
MD5:	A53422B82D0B8F8E25E193BF62452674
SHA1:	66D47426A865A6F2E2D1BBEA6A9832C0872EF17F
SHA-256:	3687983DC312C0426D92B2094540DA529249D5B8C23E7A25154BF42EFED754AD
SHA-512:	2C9B0A9AD46930DB253476CD363A0633752C7DED10970A2985C681B019E1F6FE764755D6F1A904FB7820A959C39B9B4B0E0632FA1CE839E930FA144197096AC8
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.n.w.j.s.\.n.w...e.x.e.

C:\Users\user\AppData\Local\FAST!\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	2.6455933144511468
Encrypted:	false
SSDEEP:
MD5:	7FBACBA300F2A4D7D19A510D7DA4CF3F
SHA1:	82A371D323A11C7195567F77036214AC315BC2C4
SHA-256:	685029F648BEBC43B71E8DF8944A7BFDBAAF4F6535BC08BD791650339663E214
SHA-512:	2FD2ECAA4CD537925636D05EA53CE52030AD2ABC61F99913A8E4D64FE377E8177C291ED92E572CB94B44CCFCF96022528A7F55B1BB01A6F0C3F6285EA6BAB1A0
Malicious:	false
Preview:	119.0.6045.105

C:\Users\user\AppData\Local\FAST!\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	5.7146325700273
Encrypted:	false
SSDEEP:
MD5:	A5FBF548C24ECC55226DF8C4E199BF4E
SHA1:	9588F2803BA96DAE9390DDBBC500A3DB25193213
SHA-256:	03AA75CD272EA32F023970BB14EC4069DC28CF6EB841256058F1787E6D769987
SHA-512:	209226C89A7635CCF0271AD426AF52AEB1AD248FCAD6FAAF17F965D9F15B99F0764179E496BB4D5A8127CC8FBCA0881ECFE10EE548F1140C756F17113AE9B7B0
Malicious:	false
Preview:	{"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"profile":{"info_cache":{},"profile_counts_reported":"13353012663539251","profiles_order":[]},"uninstall_metrics":{"installation_date2":"1708539063"},"user_experience_metrics":{"low_entropy_source3":1379,"pseudo_low_entropy_source":6902,"stability":{"browser_last_live_timestamp":"13353012663387633","stats_buildtime":"1683435600","stats_version":"119.0.6045.105-64-devel","system_crash_count":0}}}

C:\Users\user\AppData\Local\FAST!\User Data\Local State~RF65c74c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	5.7146325700273
Encrypted:	false
SSDEEP:
MD5:	A5FBF548C24ECC55226DF8C4E199BF4E
SHA1:	9588F2803BA96DAE9390DDBBC500A3DB25193213
SHA-256:	03AA75CD272EA32F023970BB14EC4069DC28CF6EB841256058F1787E6D769987
SHA-512:	209226C89A7635CCF0271AD426AF52AEB1AD248FCAD6FAAF17F965D9F15B99F0764179E496BB4D5A8127CC8FBCA0881ECFE10EE548F1140C756F17113AE9B7B0
Malicious:	false
Preview:	{"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"profile":{"info_cache":{},"profile_counts_reported":"13353012663539251","profiles_order":[]},"uninstall_metrics":{"installation_date2":"1708539063"},"user_experience_metrics":{"low_entropy_source3":1379,"pseudo_low_entropy_source":6902,"stability":{"browser_last_live_timestamp":"13353012663387633","stats_buildtime":"1683435600","stats_version":"119.0.6045.105-64-devel","system_crash_count":0}}}

C:\Users\user\AppData\Local\FAST!\User Data\Local State~RF65f2a2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	5.7146325700273
Encrypted:	false
SSDEEP:
MD5:	A5FBF548C24ECC55226DF8C4E199BF4E
SHA1:	9588F2803BA96DAE9390DDBBC500A3DB25193213
SHA-256:	03AA75CD272EA32F023970BB14EC4069DC28CF6EB841256058F1787E6D769987
SHA-512:	209226C89A7635CCF0271AD426AF52AEB1AD248FCAD6FAAF17F965D9F15B99F0764179E496BB4D5A8127CC8FBCA0881ECFE10EE548F1140C756F17113AE9B7B0
Malicious:	false
Preview:	{"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"profile":{"info_cache":{},"profile_counts_reported":"13353012663539251","profiles_order":[]},"uninstall_metrics":{"installation_date2":"1708539063"},"user_experience_metrics":{"low_entropy_source3":1379,"pseudo_low_entropy_source":6902,"stability":{"browser_last_live_timestamp":"13353012663387633","stats_buildtime":"1683435600","stats_version":"119.0.6045.105-64-devel","system_crash_count":0}}}

C:\Users\user\AppData\Local\FAST!\User Data\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	456DF64FB1D69D73D0303FF78A1A3A3A
SHA1:	BF89DAFAA5CC83501E8018BE2ED85DB1C556EB18
SHA-256:	EB18A3A8AA4BA4AE156D6852978FFA03FBCA4018B3C539EC102E449E1D6AC21A
SHA-512:	9A23BE4ADE45D1E2E679C01795274B3236308A4F32DB98F5EF7565410CF362F82180D9B1FAFF71090DA2D5CEDCE81F6452AD151F1BEEE4254116E89060305496
Malicious:	false
Preview:	........................................r.~p/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\FAST!\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\FAST!\User Data\e7e18dac-4813-42ae-af24-5dbe19ccce73.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2658
Entropy (8bit):	5.642952716417178
Encrypted:	false
SSDEEP:
MD5:	76F25BB4E19FEDBA123C133B614A2D9C
SHA1:	EBC352F1247D29DB012008A9F1411811B9473231
SHA-256:	732574353CCA0CE20BA0B3A20F9C6EE2A8D60D4291557BBC7420D5125F02B34A
SHA-512:	5B111FF8963429B79F88BCB86F740DFCF62346DF1057F6FDF03D3740EC4ADBE7CB9588107F95E64A7A7D177F3AB6DC78A30622A28CF401BFF0C79F3433780C8C
Malicious:	false
Preview:	{"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAD8wmKZK+OSSZ9tAUneByBPEAAAAAoAAABuAHcAagBzAAAAEGYAAAABAAAgAAAAd26Tq0OFIRQlEDwzxY+9XJx1clRngMs7gGCpXYnhyxEAAAAADoAAAAACAAAgAAAATYM/HO5uplLfG2BmaDCNuDXl07FMnMXMO+6IBa16yvkwAAAA0LpQINke5/9fCnDc0DVqkFV85logK4+Y0YZc4yWxIiT4khL6vVkh8yz27Q0sEzz3QAAAADN2CuefQv7yU59Jq64P8veLq8andbIjDUjKK1EtmxZBZuHXlcQDYIRduNwCMAKHAV6mFQls7xnSheDokCXjMBE="},"policy":{"last_statistics_update":"13353012663671255"},"profile":{"info_cache":{"Default":{"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_26","background_apps":false,"force_signin_profile_locked":false,"gaia_id":"","is_consented_primary_account":false,"is_ephemeral":false,"is_using_default_avatar":true,"is_using_default_name":true,"managed_user_id":"","name":"Person 1","shortcut_name":"Person 1","signin

C:\Users\user\AppData\Local\FAST!\User Data\segmentation_platform\ukm_db

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 7, cookie 0x6, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.35721947592478775
Encrypted:	false
SSDEEP:
MD5:	CF7B71E1F446640439290AAD6A36394F
SHA1:	3B9BFB524A8A82980E72DF39872AE77363CC9F85
SHA-256:	3B8B5249AF39D78D22B02D9E0E4DC26266086BBB77CAADBF28F1E38E8944691D
SHA-512:	C1707F678A11F0E3DED6D0634506554AC3E19D82A839991E1EDEE41BC70A0A6164F4AF4DE325B18E2BCB22C6C0CE21F62B6497FC54FCEBF0409FBF986519B84E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................x..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BigTestFile

Download File

Process:	C:\Program Files (x86)\Fast!\fast!.exe
File Type:	data
Category:	modified
Size (bytes):	25600000
Entropy (8bit):	0.022346260236084957
Encrypted:	false
SSDEEP:
MD5:	44FB8F21B6795D6CF2F1F5A5484920DF
SHA1:	2E319197D4658E4DF3AAA447C02CDA27637A9AC4
SHA-256:	BAC18353056434C0E46E6AB842551AAD43A8DFE03C060167F3D02CBD46825046
SHA-512:	07A7C97F3D03AD1F418EE31F7D6A3F4D474FCDCF250387433B779A41F042783810276CDADF0542670049E13659A05544F60DED4982C89F0DF25B967423D61FEF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d8138e0e-6098-4443-81a5-6c4faacbfab8.tmp

Download File

Process:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 84349
Category:	modified
Size (bytes):	81813
Entropy (8bit):	7.996857723267819
Encrypted:	true
SSDEEP:
MD5:	6365E7A7204835B97FB730805EB15F47
SHA1:	684D5C23B1EC33B23C4C948B78A4194C7CC39F9F
SHA-256:	1A8230459D46AD78B128F8853EE857E8D76324EF3902F7D00D352B2F11F2A924
SHA-512:	3E77499CA99F5ECEC8A6A3E5003CE83D95E2F82D751F96F6499DC6270E0B16E8F26061BFF87C626A9316B7EFFCA881D798A460AF7EC467C458B4040D8848D170
Malicious:	false
Preview:	...........kw.F.(...u.....b."..-P...N&>;.}.Lf.ht. .Eb....Jb$..[U..@...>..u3...wwuuuUuu...........E..gI.yU-.............E..Y.7...c.(./VE2.W{.A.RW..YU$../D..x..O....{......4......%.\|y...G...4.>....G?.}..O....N.8ts.f.M.W.......'U'....7{.a..Uyp..^.$..v.U.m>]...?}.5.<....a}.~S....@..../>..+V...^[s.I6....'l.1....X...(yz3.?a5OJ.O`.......X.jYd{f/..V....1K.3...._......b/.Z.^._.I.c..#,S..$.l/.J..>.OU.T.a.Y....o."/...8..j..8.3..u....;......^.(1.Q..wo....~z......7.....8.G.r....z.c..\.'q.z..Uf#.......eu..T.k.3S g.dk..[R.....v`...X..F.E.Oy6.....^...#............\.....6..........Uk...<..0..%Q.......d...........w...........,..a.. #5..z._p...z./.h..%..U^....a...V.fskg.5.....H5..a.._w.ol..]...x.(...n.j..i..{6...&.......(...C.x..^....5.Q.y..'W.uW7....]......W.~.......C..4.].........WE..P.gH.q.%Y....I4..Q~...H_o.,........%.D... ....K -.....(a\|...$./.3..2m ..u.g..6..O.s.qD..+Bk..#P........1...\|&.U.!...f....?.?y.?.B......b.P......i..+..d.....Y.l..} .P.

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	4.684597989866362
Encrypted:	false
SSDEEP:
MD5:	A35CDC9CF1D17216C0AB8C5282488EAD
SHA1:	ED8E8091A924343AD8791D85E2733C14839F0D36
SHA-256:	A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
SHA-512:	0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.158136237602734
Encrypted:	false
SSDEEP:
MD5:	6C3F8C94D0727894D706940A8A980543
SHA1:	0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
SHA-256:	56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
SHA-512:	2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\SimpleSC.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1110016
Entropy (8bit):	6.62382554711905
Encrypted:	false
SSDEEP:
MD5:	7B89329C6D8693FB2F6A4330100490A0
SHA1:	851B605CDC1C390C4244DB56659B6B9AA8ABD22C
SHA-256:	1620CDF739F459D1D83411F93648F29DCF947A910CC761E85AC79A69639D127D
SHA-512:	AC07972987EE610A677EA049A8EC521A720F7352D8B93411A95FD4B35EC29BFD1D6CCF55B48F32CC84C3DCEEF05855F723A88708EB4CF23CAEC77E7F6596786A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...9.`............................L........ ....@......................................................................................2......................@f......................................................X............................text............................... ..`.itext..d........................... ..`.data...x;... ...<..................@....bss....@d...`...........................idata...............<..............@....didata..............L..............@....edata...............N..............@..@.rdata..E............T..............@..@.reloc..@f.......h...V..............@..B.rsrc....2.......2..................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\inetc.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	4.684597989866362
Encrypted:	false
SSDEEP:
MD5:	A35CDC9CF1D17216C0AB8C5282488EAD
SHA1:	ED8E8091A924343AD8791D85E2733C14839F0D36
SHA-256:	A793929232AFB78B1C5B2F45D82094098BCF01523159FAD1032147D8D5F9C4DF
SHA-512:	0F15B00D0BF2AABD194302E599D69962147B4B3EF99E5A5F8D5797A7A56FD75DD9DB0A667CFBA9C758E6F0DAB9CED126A9B43948935FE37FC31D96278A842BDF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.[.H.[.H.[.H.O.I.R.H.[.I...H...M.Y.H...L.Z.H...H.Z.H.....Z.H...J.Z.H.Rich[.H.................PE..L...n..c...........!.....T.........._........p............................... ............@..........................x......D...d...............................t....w..8...............................................D............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data....i...........d..............@....idata..A............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\nsExec.dll

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.298362543684714
Encrypted:	false
SSDEEP:
MD5:	675C4948E1EFC929EDCABFE67148EDDD
SHA1:	F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
SHA-256:	1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
SHA-512:	61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fast!\Fast!.lnk

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Feb 2 13:51:00 2024, mtime=Wed Feb 21 17:10:57 2024, atime=Fri Feb 2 13:51:00 2024, length=672088, window=hide
Category:	dropped
Size (bytes):	1938
Entropy (8bit):	3.2370983352725
Encrypted:	false
SSDEEP:
MD5:	8671D0506528D7A4FAE64A109A9C280A
SHA1:	2464756B5C630E5AF5726928A2279332C286B9DF
SHA-256:	9AF1CD392EF15149112D789DDB3B71A1E52BFA685DB2AD51E76B9AA2E00D3752
SHA-512:	C87934B83A70AC44C506CB8BA5B3AFA84F321DB65E3322B6A8030D000184F5D7DE140402A2E81174123672910D3066FA60EEA835F1BB6C5F1DC2AE96620131B6
Malicious:	false
Preview:	L..................F.@.. ....bf<.U...cOQ.d...bf<.U..XA......................s....P.O. .:i.....+00.../C:\.....................1.....UXA...PROGRA~2.........O.IUXK.....................V.......s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1.....UX]...Fast!.<......UXA.UX]...........................2.T.F.a.s.t.!.....\.2.XA..BX`v .fast!.exe.D......BX`vUXV...............................f.a.s.t.!...e.x.e.......U...............-.......T............O.......C:\Program Files (x86)\Fast!\fast!.exe..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.f.a.s.t.!...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.F.a.s.t.!...e.x.e.........%ProgramFiles%\Fast!\Fast!.exe......................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fast!\Uninstall.lnk

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Wed Feb 21 17:10:57 2024, mtime=Wed Feb 21 17:10:57 2024, atime=Wed Feb 21 17:10:57 2024, length=477260, window=hide
Category:	dropped
Size (bytes):	1984
Entropy (8bit):	3.3409809616677935
Encrypted:	false
SSDEEP:
MD5:	11C8F01DE1C763A2E8EF3072A5D73478
SHA1:	69C0C6C5F0C559CF20AA540D30ED68F48E252B7C
SHA-256:	764F77EAD0E5EE4C33F0FFA5A2F34C4228947F96B95483CE09F5905A442FF514
SHA-512:	A0C12B3C0FD4CD7D5D6D4355C1D577E70559B5422FCFC0432E1FBD0D52371FE5104FCE1D46566985D0776998BA69D11108DAB4CE20E6563984BF862130FEA374
Malicious:	false
Preview:	L..................F.@.. ....<HQ.d...<HQ.d...<HQ.d..LH...........................P.O. .:i.....+00.../C:\.....................1.....UXA...PROGRA~2.........O.IUXK.....................V.......s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1.....UX]...Fast!.<......UXA.UX]...........................2.T.F.a.s.t.!.....l.2.LH..UX]. .UNINST~1.EXE..P......UX].UX]......"....................2.T.u.n.i.n.s.t.a.l.l.e.r...e.x.e.......[...............-.......Z............O.......C:\Program Files (x86)\Fast!\uninstaller.exe..D.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.u.n.i.n.s.t.a.l.l.e.r...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.u.n.i.n.s.t.a.l.l.e.r...e.x.e.........%ProgramFiles%\Fast!\uninstaller.exe..................................................................................................................

C:\Users\user\Desktop\Fast!.lnk

Download File

Process:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Feb 2 13:51:00 2024, mtime=Wed Feb 21 17:10:42 2024, atime=Fri Feb 2 13:51:00 2024, length=672088, window=hide
Category:	dropped
Size (bytes):	1036
Entropy (8bit):	4.635289457416568
Encrypted:	false
SSDEEP:
MD5:	CEE2CDEC55C9ED4C2E7ED572771640DF
SHA1:	412C80A6EC29A02F6314CE226D03809C35961CEE
SHA-256:	4C73A0BA524BB5AA82C8CF9F44F3CC9825683E7B00F78F312250D794A7A6B001
SHA-512:	8597A090C02B5A27F66C610FB546C6E8F64446F30272F6E6DF216710AB78FDAEFB11E4EE4DF2FB4B2D586C6EA1383CC6B3CD67762995E5A0F41DB153526443AC
Malicious:	false
Preview:	L..................F.... ....bf<.U..g..H.d...bf<.U..XA......................s....P.O. .:i.....+00.../C:\.....................1.....UXA...PROGRA~2.........O.IUXK.....................V.......s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1.....UX]...Fast!.<......UXA.UX]............................Y..F.a.s.t.!.....\.2.XA..BX`v .fast!.exe.D......BX`vUXV...............................f.a.s.t.!...e.x.e.......U...............-.......T............O.......C:\Program Files (x86)\Fast!\fast!.exe..,.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.\.f.a.s.t.!...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.F.a.s.t.!.........*................@Z\|...K.J.........`.......X.......134349...........hT..CrF.f4... ...%{.....-...-$..hT..CrF.f4... ...%{.....-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 326

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1572)
Category:	downloaded
Size (bytes):	5776
Entropy (8bit):	5.406333618109174
Encrypted:	false
SSDEEP:
MD5:	C840A8EFA9639BA51FFFF865A6D5B3ED
SHA1:	00C77DA03DDCFA49CC08A7229BA8FA3F9AFCCC38
SHA-256:	C3061C3788AD5783EF8A5D10C454BAFE7EB942C48200DCCC852CC6D3C9F303D4
SHA-512:	E73A55A7CB4906133D3C85F7F7F5BC1435FB1AE023A565B446B9A628D2540B7501EECC6D6CDC3276871BC418C16DAAE14FF0C84E9A10A691CC40597400ECDEC1
Malicious:	false
URL:	https://fonts.googleapis.com/css?family=Open%20Sans
Preview:	/* cyrillic-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVIGxA.woff2) format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./ cyrillic /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVIGxA.woff2) format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./ greek-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: 100%;. src: url(https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVIGxA.woff2) format('woff2');. unicode-range: U+1F00-1FFF;.}./ greek */.@font-fa

Chrome Cache Entry: 330

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (64351)
Category:	downloaded
Size (bytes):	219511
Entropy (8bit):	5.455338989760884
Encrypted:	false
SSDEEP:
MD5:	ECE08A30FA894A95E2D115EF09A9CBB4
SHA1:	B2C9EE01F968D0F4CB5EDF3C3E1CD858AA915126
SHA-256:	ABAB7A81C9DBD5A93DD2FA69682261353DA559A49E96CA369A8EBCD1B2120E97
SHA-512:	32A8A5CE373DB40DDABEED97BF21F5B41F5C4F23A7146A8723210C3CEAEE5E870884D9C80B8EAC529A4B887638A6C694A8157F17DF9F9060BD28CF6D1C40FFE3
Malicious:	false
URL:	https://connect.facebook.net/en_US/fbevents.js
Preview:	/*. Copyright (c) 2017-present, Facebook, Inc. All rights reserved... You are hereby granted a non-exclusive, worldwide, royalty-free license to use,.* copy, modify, and distribute this software in source code or binary form for use.* in connection with the web services and APIs provided by Facebook... As with any software that integrates with the Facebook platform, your use of.* this software is subject to the Facebook Platform Policy.* [http://developers.facebook.com/policy/]. This copyright notice shall be.* included in all copies or substantial portions of the software... THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS.* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR.* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER.* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN.* CONNECTION WI

Chrome Cache Entry: 331

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675
Entropy (8bit):	7.606800268124855
Encrypted:	false
SSDEEP:
MD5:	8D1ED092B3BE364DC47574F1310D2C87
SHA1:	D5BBA623B5AFB4C5B6C0AD5ED04A10F1881DA595
SHA-256:	07B61E98466A1F851D5DCF555AD9B901684EE622275129B98C38DA3785506FF2
SHA-512:	70134A9B5B786473A56F11BA7098CA6AF568EEF97AA8704A9748A5EFDFC4F16CEE1F9C22CEA9F55660BE4FEB14D6C1B5B09A7C76076D4F813A58FECF27BB8828
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz....jIDATx..VKK.Q....R."..q.....Z.\|.P....."b..'.......XiE..B6.6Z.c4.8....nf.$Nf&^. d1.w..9'...$.(.2N.V.\|.&....g...8.E.%].y.G_$8...O.H..4....%..>.N...P.....K..V9Z..4f..Y.,..T.pGi.%.?8.,@..W.'q...g...}p8....y.5r.......)......&....(.WrD_V.er.).h.....t....c~sN..u&S....Z.m\|.n..c.-_.A....(...._....X....,.hBD..<Z..Yk.V..._7V...U.........;....'....F..>;B..8.^.f../.:.. a?]..\.l......&@dD.g..y.r.p.g....fG<......M...r.....c..,...FJ,W...2G...d.9Q.4..5{4D...,._Oe.......Csbw.M~......dU.........j.0W.....r...'.s6..S......n...E...V@..e.$V....rfeN7.I...z+..`..R.,.N.]...>z..i#..~b.....N'..~0go.].*....I.e.x........[.S......IEND.B`.

Chrome Cache Entry: 332

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	675
Entropy (8bit):	7.606800268124855
Encrypted:	false
SSDEEP:
MD5:	8D1ED092B3BE364DC47574F1310D2C87
SHA1:	D5BBA623B5AFB4C5B6C0AD5ED04A10F1881DA595
SHA-256:	07B61E98466A1F851D5DCF555AD9B901684EE622275129B98C38DA3785506FF2
SHA-512:	70134A9B5B786473A56F11BA7098CA6AF568EEF97AA8704A9748A5EFDFC4F16CEE1F9C22CEA9F55660BE4FEB14D6C1B5B09A7C76076D4F813A58FECF27BB8828
Malicious:	false
URL:	https://repository.pcapp.store/pcapp/images/fast.png
Preview:	.PNG........IHDR... ... .....szz....jIDATx..VKK.Q....R."..q.....Z.\|.P....."b..'.......XiE..B6.6Z.c4.8....nf.$Nf&^. d1.w..9'...$.(.2N.V.\|.&....g...8.E.%].y.G_$8...O.H..4....%..>.N...P.....K..V9Z..4f..Y.,..T.pGi.%.?8.,@..W.'q...g...}p8....y.5r.......)......&....(.WrD_V.er.).h.....t....c~sN..u&S....Z.m\|.n..c.-_.A....(...._....X....,.hBD..<Z..Yk.V..._7V...U.........;....'....F..>;B..8.^.f../.:.. a?]..\.l......&@dD.g..y.r.p.g....fG<......M...r.....c..,...FJ,W...2G...d.9Q.4..5{4D...,._Oe.......Csbw.M~......dU.........j.0W.....r...'.s6..S......n...E...V@..e.$V....rfeN7.I...z+..`..R.,.N.]...>z..i#..~b.....N'..~0go.].*....I.e.x........[.S......IEND.B`.

Chrome Cache Entry: 333

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 18668, version 1.0
Category:	downloaded
Size (bytes):	18668
Entropy (8bit):	7.988119248989337
Encrypted:	false
SSDEEP:
MD5:	8655D20BBCC8CDBFAB17B6BE6CF55DF3
SHA1:	90EDBFA9A7DABB185487B4774076F82EB6412270
SHA-256:	E7AF9D60D875EB1C1B1037BBBFDEC41FCB096D0EBCF98A48717AD8B07906CED6
SHA-512:	47308DE25BD7E4CA27F59A2AE681BA64393FE4070E730C1F00C4053BAC956A9B4F7C0763C04145BC50A5F91C12A0BF80BDD4B03EECC2036CD56B2DB31494CBAF
Malicious:	false
URL:	https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI.woff2
Preview:	wOF2......H...........H..........................\|.....h.`?STAT^..0..\|...........+..2..6.$..`. ..x........z'o..w;....6.E....6....E...'$H.#.....n1X..JU/.d.O..JC.'J".v.v.l.h.....u.S...SY.....B.hz.o.}......W......%m6...A..=....\..m. .]..~.[..........]...I..h.=.....6.xt..F....Lt...Qs-.7..{...~BI.".F.Q......F...P..dMw..#I2........Rq.Q&.0@.;..;...3VG..:c.nki..-Q..2##e.u...8n....\?....T..b....^..#...../.J\|OM..St....e.S.}!.....>..i.T/a.ES%.W.P3..`..a.R.A.....!~g..74.np8o.....d[6?.P.4)P.....AG.3.......;#0.y....M..O/2.@.4..N.vA$.:M&H,.AT".........@..a.~..L->...0@h...~.._..N"......t......C./g7..............2E.N.J...TW.F..."A.B...n.......i.?.{\.L.!.B..x...S..!........?.\,... .@.....y"xw.A8.w..!E..-^P O..+.T.r.R.zz..K..].E.....Ri.)g.P...j..w..c.M.F.v../........Q....'...(....X..;.K.!BZ3.........f.....N.A(....cA`.b'...`.~sa^.....?..../.L.S......t..`@h..C.....>N.W...;>..._h.+~=\|......uOGA{.7.....h....q.d.4$.x<.....^0\|...@....@Q[RC.0....b....'...RID

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.131555003445194
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup (1).exe
File size:	105'144 bytes
MD5:	e55722d0c66670c13ca4bdf2025c12d7
SHA1:	50cd053864b3dbb3eb48de27d42c53bb5bc1e913
SHA256:	fa6578e355591999bce7d89b08c43d9a57ec379099cc9cc84a09a48c37f84900
SHA512:	7b89a898f1429821207ce464912780f1aa5bb5f4f3761c1af37e78a4e65810dd9b00fdb7da8bfa31d32c0ed4b8ab7e85c7bf0978a0dfa26356c2fb4873bd8267
SSDEEP:	1536:9/T2X/jN2vxZz0DTHUpou08xuIgjEOzKptRxE+1zyYCDtpXOrz78+x9:9bG7N2kDTHUpou0sgwY0RPzy5n+f5
TLSH:	42A3AE10B350C4A2F4A3CB302565663A5A79AC21F5604B4F3FE05A1869DE3F1AF2E3E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	f9cc995924134d0d

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	13/02/2023 01:00:00 15/02/2024 00:59:59
Subject Chain	CN=Fast Corporate LTD, O=Fast Corporate LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	6BD6E553625E804E96AF4AB0395E06CD
Thumbprint SHA-1:	0E2ED8280DB0068F76018744BB81F6B0EAAA06A4
Thumbprint SHA-256:	174D6BD057CEBD51F710366D9EA58D73250AE9EFE8F0F79AE341A95D87DA3E37
Serial:	0E2A84CE689A96E7A4E0B9F915300FF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FC99161A08Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FC99161A05Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65000	0x4cc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x17150	0x2968	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x2f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x65000	0x4cc0	0x4e00	a1f1c813ffd264f94121e843e3727aa8	False	0.20367588141025642	data	3.8105718610431265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x651c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 30000 x 30000 px/m	English	United States	0.16450165328294758
RT_DIALOG	0x693e8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x695f0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x696e8	0xa0	data	English	United States	0.60625
RT_DIALOG	0x69788	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x69878	0x14	data	English	United States	1.1
RT_MANIFEST	0x69890	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5130841121495328

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	19:09:55
Start date:	21/02/2024
Path:	C:\Users\user\Desktop\Setup (1).exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Setup (1).exe
Imagebase:	0x400000
File size:	105'144 bytes
MD5 hash:	E55722D0C66670C13CA4BDF2025C12D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:10:02
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installing.html?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:10:03
Start date:	21/02/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	19:10:04
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1932,i,407126297342683316,15967472951187862023,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	19:10:19
Start date:	21/02/2024
Path:	C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873
Imagebase:	0x400000
File size:	131'346'680 bytes
MD5 hash:	6354C2FD7D3E21CB782A57AA601C44C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:10:22
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c "C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\user\AppData\Local\FAST!\Temp\dskres.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:10:22
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:10:22
Start date:	21/02/2024
Path:	C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\user\AppData\Local\FAST!\Temp\testfile.temp
Imagebase:	0xff0000
File size:	144'688 bytes
MD5 hash:	FC41CABDD3C18079985AC5F648F58A90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:10:57
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://veryfast.io/installed.php?guid=4D802742-3099-9C0E-C19B-2A23EA1FC420&_fcid=1708534066480873
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:10:57
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\FastSRV.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Fast!\FastSRV.exe
Imagebase:	0x1000000
File size:	98'648 bytes
MD5 hash:	CD46510547991D8DC8ED3BA175985E4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:10:58
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\fast!.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\fast!\fast!.exe
Imagebase:	0x220000
File size:	672'088 bytes
MD5 hash:	CF118C6E3FAF9E10A566B4155AB5F2EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 46%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:10:58
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1988,i,4595683001610926679,17947632816078318060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:10:59
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\fast!.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Fast!\Fast!.exe
Imagebase:	0x220000
File size:	672'088 bytes
MD5 hash:	CF118C6E3FAF9E10A566B4155AB5F2EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:11:02
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\.
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	19:11:02
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7ffda39aa970,0x7ffda39aa980,0x7ffda39aa990
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	19:11:03
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	19:11:06
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2396 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	19:11:07
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2500 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	19:11:08
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\fast!.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\fast!\fast!.exe
Imagebase:	0x220000
File size:	672'088 bytes
MD5 hash:	CF118C6E3FAF9E10A566B4155AB5F2EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:11:08
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1708532403761554 --launch-time-ticks=6663733321 --mojo-platform-channel-handle=2864 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:1
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	19:11:11
Start date:	21/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	19:11:16
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3364 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:11:33
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3944 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:11:34
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3848 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:8
Imagebase:	0x7ff7ca350000
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:13:11
Start date:	21/02/2024
Path:	C:\Program Files (x86)\Fast!\nwjs\nw.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4236 --field-trial-handle=2080,i,776503499850854903,12023336108169358555,262144 /prefetch:2
Imagebase:
File size:	2'337'112 bytes
MD5 hash:	D6644E8A0C3C48607EC424BAE0FEB47E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	28.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1352
Total number of Limit Nodes:	36

Executed Functions

Function 0040352D Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,00440000,00000020,00440000,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNEL32(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00441800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\Setup (1).exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
ExitProcess.KERNEL32(?), ref: 00403A59
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
C:\Users\user\Desktop\Setup (1).exe, xrefs: 00403A09
Error launching installer, xrefs: 004038FF
UXTHEME, xrefs: 0040361B, 00403620, 00403626
1033, xrefs: 0040386A
~nsu, xrefs: 0040394E
SeShutdownPrivilege, xrefs: 00403AA1
TEMP, xrefs: 0040384E
.tmp, xrefs: 0040396A
NSIS Error, xrefs: 0040368E
TMP, xrefs: 00403856
Low, xrefs: 0040383C
\Temp, xrefs: 00403820

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Setup (1).exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-1539646836
Opcode ID: 31f77c8a8b3a3ad3f5f74e486622c6887c952165384ea8b63ade3724d5224d7f
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 31f77c8a8b3a3ad3f5f74e486622c6887c952165384ea8b63ade3724d5224d7f
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(00020414,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: f8565664f7b2e804c40d78346ff69871c1535371e8e3cc69fe24884c49ce1a76
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: f8565664f7b2e804c40d78346ff69871c1535371e8e3cc69fe24884c49ce1a76
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
., xrefs: 00405D18
C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*, xrefs: 00405CA2, 00405CA8, 00405CB9, 00405CF2
\*.*, xrefs: 00405CB4
., xrefs: 00405D04

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb9574.tmp\*.*$\*.*
API String ID: 2035342205-2488138814
Opcode ID: d4824498ca5d4646401654330336f54dc3516ea2401a274e156101c2699109e4
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: d4824498ca5d4646401654330336f54dc3516ea2401a274e156101c2699109e4
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Strings

C:\, xrefs: 00406873

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
String ID:
API String ID: 3964124867-0
Opcode ID: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(00432EA0,?,?,?,00432EA0,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,76233420), ref: 00403CED
lstrcmpiW.KERNEL32(00432E98,.exe,00432EA0,?,?,?,00432EA0,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(00432EA0,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00440800), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
RichEdit, xrefs: 00403E47
RichEd20, xrefs: 00403E1A
RichEdit20W, xrefs: 00403E38, 00403E3E
RichEd32, xrefs: 00403E28
elete file: , xrefs: 00403CDC, 00403CE3, 00403CEC, 00403D0A
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
_Nb, xrefs: 00403D70, 00403DD8
.exe, xrefs: 00403CFA
1033, xrefs: 00403C0C, 00403C68
.DEFAULT\Control Panel\International, xrefs: 00403C58

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$elete file:
API String ID: 1975747703-176539017
Opcode ID: d676aef2f71fbad829aa91df8609c37157257c620a924ef9afc500929f8c8bb5
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: d676aef2f71fbad829aa91df8609c37157257c620a924ef9afc500929f8c8bb5
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Setup (1).exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup (1).exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,C:\Users\user\Desktop\Setup (1).exe,C:\Users\user\Desktop\Setup (1).exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNEL32(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
C:\Users\user\Desktop\Setup (1).exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Error launching installer, xrefs: 004030CD
}8@, xrefs: 00403227, 00403242
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174
Inst, xrefs: 00403162
soft, xrefs: 0040316B

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Setup (1).exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-4163372932
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(00432EA0,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(00432EA0,00000400,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00000000,00425020,762323A0), ref: 004066A8
lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000), ref: 00406779

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
C:\Users\user\AppData\Local\Temp\nsb9574.tmp\, xrefs: 0040659F

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-3225908957
Opcode ID: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

A, xrefs: 00403374
}8@, xrefs: 004032B4
PB, xrefs: 004033A2, 004033BD, 0040343A
A, xrefs: 0040347E
*B, xrefs: 004032DF
... %d%%, xrefs: 004033FB

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ PB$ A$ A$... %d%%$}8@
API String ID: 551687249-3288948294
Opcode ID: e283f46b041b5be23ed20deafccabedd1979d9ad8d71fea5bcc7283382808035
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: e283f46b041b5be23ed20deafccabedd1979d9ad8d71fea5bcc7283382808035
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,get,get,00000000,00000000,get,00441000,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsb9574.tmp, xrefs: 00401821, 0040183F
get, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp$C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll$get
API String ID: 1941528284-475298140
Opcode ID: 340e1442e1db9b0bbd45c79093729705e5d63a2406d9793f1b9f797b5a8be8ee
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: 340e1442e1db9b0bbd45c79093729705e5d63a2406d9793f1b9f797b5a8be8ee
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00403418), ref: 004055FA
SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000), ref: 00406779

Strings

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\
API String ID: 1495540970-336389646
Opcode ID: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Strings

%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2
UXTHEME, xrefs: 004068A3

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14
C:\, xrefs: 00405F1A, 00405F1F, 00405F25, 00405F66, 00405F6C, 00405F74, 00405F7C
4#v, xrefs: 00405F16

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4#v$C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-1150081906
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3936084776
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsb9574.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp
API String ID: 2655323295-47198566
Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406061
nsa, xrefs: 00406069

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nsb9574.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp$C:\Users\user\AppData\Local\Temp\nsb9574.tmp\inetc.dll
API String ID: 1659193697-2299357974
Opcode ID: c89b065c694cce219da84b90cfab978208087e88e33c3faf6e2e3ef8d4dc70fc
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: c89b065c694cce219da84b90cfab978208087e88e33c3faf6e2e3ef8d4dc70fc
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 0bf0e5e813b2564cc7cfb612efcde4c797e71ce7d2922b3564d4c07743ad1514
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 0bf0e5e813b2564cc7cfb612efcde4c797e71ce7d2922b3564d4c07743ad1514
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(005CC548), ref: 00401C0B
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C1D

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000), ref: 00406779

Strings

get, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: get
API String ID: 3292104215-4248514160
Opcode ID: cecd7903579db09396e99fcb4041446ac8fea00c0e28d0f13f956e9ee607e8f0
Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
Opcode Fuzzy Hash: cecd7903579db09396e99fcb4041446ac8fea00c0e28d0f13f956e9ee607e8f0
Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 89c6ceebaf26a2410158c75cc71a1e3b778611476644ea09d24f59567d4f9c93
Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
Opcode Fuzzy Hash: 89c6ceebaf26a2410158c75cc71a1e3b778611476644ea09d24f59567d4f9c93
Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406008: GetFileAttributesW.KERNEL32(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
Part of subcall function 00406008: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C1C
DeleteFileW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C24
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F12 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Strings

@, xrefs: 00401F8A

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
String ID: @
API String ID: 4215836453-2766056989
Opcode ID: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
Opcode Fuzzy Hash: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18

Uniqueness

Uniqueness Score: -1.00%

Function 00404472 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000408,?,00000000,004040D1), ref: 00404490

Strings

x, xrefs: 00404472

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend
String ID: x
API String ID: 3850602802-2363233923
Opcode ID: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
Instruction ID: 1b38e0d23eed931a714c5b599c5829f4d2050063c4158495342b67dc2c27a344
Opcode Fuzzy Hash: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
Instruction Fuzzy Hash: 10C01271140200EACB004B00DE01F0A7A20B7A0B02F209039F381210B087B05422DB0C

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNEL32(?,00441000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNEL32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9574.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3fb0128ec3c0afb48f28764f09fc95c95f98cfbd5e462e7a9813c2ba4e742ed8
Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
Opcode Fuzzy Hash: 3fb0128ec3c0afb48f28764f09fc95c95f98cfbd5e462e7a9813c2ba4e742ed8
Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 3.0, APIs: 2, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00650000,00650000,00000000,00000000,00432EA0,00000800,00000000,?,00000000,00650000,00650000,00432EA0,?,?,00406672,80000002), ref: 00406451
RegCloseKey.KERNEL32(00650000,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,00650000,00432EA0,00650000,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\), ref: 0040645C

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
CloseHandle.KERNEL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000001), ref: 00402C14
InvalidateRect.USER32(?), ref: 00402C24

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 0509652848a83ac1d7feddac23dc24ced32f84c0220a85d8a6f2313ae5a63aab
Instruction ID: 5efb85e177e5feb05262591b5578bbf68be0fc1facb886aaf0ec985341d6bcc2
Opcode Fuzzy Hash: 0509652848a83ac1d7feddac23dc24ced32f84c0220a85d8a6f2313ae5a63aab
Instruction Fuzzy Hash: CEE08C72700008FFEB01CBA4EE84DAEB779FB40315B00007AF502A00A0D7300D40DA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup (1).exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D

Strings

C:\Users\user\AppData\Local\Temp\nsb9574.tmp\, xrefs: 00403B31

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsb9574.tmp\
API String ID: 2962429428-336389646
Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000,00425020,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 1543427666-0
Opcode ID: 11aaa4362747121357e125e8dbb3e446f77891c3c0f7104508ea78bcc2682684
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: 11aaa4362747121357e125e8dbb3e446f77891c3c0f7104508ea78bcc2682684
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00650000,00432EA0,?,00650000,?,00406438,?,00000000,00650000,00650000,00432EA0,?), ref: 004063CE

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Uniqueness

Uniqueness Score: -1.00%

Function 00404499 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000), ref: 00406779

SetDlgItemTextW.USER32(?,?,00000000), ref: 004044B3

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ItemTextlstrcatlstrlen
String ID:
API String ID: 281422827-0
Opcode ID: 90e9d348aac44dd859050291e9807f2f15480ffb268b4e012463b180631e3b26
Instruction ID: 6ac98b26730712a62f5b3967fa7f39b4c61dbbfa6ef1674fce18da22a1fc1fc0
Opcode Fuzzy Hash: 90e9d348aac44dd859050291e9807f2f15480ffb268b4e012463b180631e3b26
Instruction Fuzzy Hash: D3C08C35008200BFD641A714EC42F0FB7A8FFA031AF00C42EB05CA10D1C63494208A2A

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(0002040C,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B63 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B72

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040498A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(00432EA0,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,00432EA0), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

A, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: fab986b41fe51bcb83dfe55d65232c7215597a26c5e3df290e301c6af6088bb7
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: fab986b41fe51bcb83dfe55d65232c7215597a26c5e3df290e301c6af6088bb7
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

, xrefs: 004054D4
N, xrefs: 0040519B
M, xrefs: 004050BA

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

N, xrefs: 004047F4

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\Desktop\Setup (1).exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

[Rename], xrefs: 0040626C, 0040627E
%ls=%ls, xrefs: 004061F8

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 3eb5dbf79ac4ddf413f0c019f4100ae622bbb273f46fb57107943c4ea094d0dd
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 3eb5dbf79ac4ddf413f0c019f4100ae622bbb273f46fb57107943c4ea094d0dd
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5
*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-826357637
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsb9574.tmp\,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

MS Shell Dlg, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: MS Shell Dlg
API String ID: 2584051700-76309092
Opcode ID: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00017148,00000064,00019AB8), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e1732767013c4c100bfa1170f2d4a703ec8f6d39e214e55debeee1090b724c67
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: e1732767013c4c100bfa1170f2d4a703ec8f6d39e214e55debeee1090b724c67
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
CharNextW.USER32(00000000), ref: 00405ECA
CharNextW.USER32(00000000), ref: 00405EE2

Strings

C:\, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(0002040C,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.2399186886.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2399166622.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399205800.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399221025.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2399447060.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup (1).jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Setupuser.exePID: 7664, Parent PID: 3944COMMON

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1352
Total number of Limit Nodes:	36

Executed Functions

Function 0040352D Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873,00000020,"C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNEL32(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
ExitProcess.KERNEL32(?), ref: 00403A59
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

C:\Program Files (x86)\Fast!, xrefs: 004037EE, 0040391D, 004039A4, 004039AE
\Temp, xrefs: 00403820
C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe, xrefs: 00403A09
.tmp, xrefs: 0040396A
TMP, xrefs: 00403856
NSIS Error, xrefs: 0040368E
Low, xrefs: 0040383C
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
"C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873, xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
SeShutdownPrivilege, xrefs: 00403AA1
~nsu, xrefs: 0040394E
TEMP, xrefs: 0040384E
&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft Windows 10 Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_archi, xrefs: 004039DF, 00403A44
1033, xrefs: 0040386A
UXTHEME, xrefs: 0040361B, 00403620, 00403626
C:\Program Files (x86)\Fast!, xrefs: 00403928
C:\Users\user\AppData\Local\FAST!\Temp, xrefs: 00403975, 0040397A, 004039AD
Error launching installer, xrefs: 004038FF

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe" /fcid 1708534066480873$&dsk_iosec=54466&dsk_mbsec=212&os_name=Microsoft Windows 10 Pro&os_installdate=20231003105718.000000+120&os_processes=106&os_archi$.tmp$1033$C:\Program Files (x86)\Fast!$C:\Program Files (x86)\Fast!$C:\Users\user\AppData\Local\FAST!\Temp$C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-203998114
Opcode ID: 31f77c8a8b3a3ad3f5f74e486622c6887c952165384ea8b63ade3724d5224d7f
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 31f77c8a8b3a3ad3f5f74e486622c6887c952165384ea8b63ade3724d5224d7f
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*, xrefs: 00405CA2, 00405CA8, 00405CB9, 00405CF2
., xrefs: 00405D18
., xrefs: 00405D04
\*.*, xrefs: 00405CB4
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsjF660.tmp\*.*$\*.*
API String ID: 2035342205-2830454677
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Strings

C:\, xrefs: 00406873

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(000403FA,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\Fast!,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,76233420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\Fast!,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Remove folder: ,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Fast!), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

C:\Program Files (x86)\Fast!, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
RichEdit20W, xrefs: 00403E38, 00403E3E
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
RichEd20, xrefs: 00403E1A
RichEd32, xrefs: 00403E28
1033, xrefs: 00403C0C, 00403C68
_Nb, xrefs: 00403D70, 00403DD8
.exe, xrefs: 00403CFA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
.DEFAULT\Control Panel\International, xrefs: 00403C58
Remove folder: , xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
RichEdit, xrefs: 00403E47

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Fast!$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1069135723
Opcode ID: d676aef2f71fbad829aa91df8609c37157257c620a924ef9afc500929f8c8bb5
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: d676aef2f71fbad829aa91df8609c37157257c620a924ef9afc500929f8c8bb5
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNEL32(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

Inst, xrefs: 00403162
C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Null, xrefs: 00403174
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
C:\Users\user\AppData\Local\FAST!\Temp, xrefs: 004030D8, 004030DD, 004030E3
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
}8@, xrefs: 00403227, 00403242
Error launching installer, xrefs: 004030CD

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\FAST!\Temp$C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe$C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-786118242
Opcode ID: 1dea39ccc6c39406b0d997d68cfd0a58dedaebe218e2b7937ece93c5b698421c
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: 1dea39ccc6c39406b0d997d68cfd0a58dedaebe218e2b7937ece93c5b698421c
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,00000000,004258D1,762323A0), ref: 004066A8
lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000), ref: 00406779

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\, xrefs: 0040659F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
Remove folder: , xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-3018986155
Opcode ID: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

... %d%%, xrefs: 004033FB
A, xrefs: 0040347E
A, xrefs: 00403374
*B, xrefs: 004032DF
}8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%$}8@
API String ID: 551687249-3029848762
Opcode ID: dac142f1bd8b58d46ec5ce0932f2b3f247fbee8c78603e198082076923a37247
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: dac142f1bd8b58d46ec5ce0932f2b3f247fbee8c78603e198082076923a37247
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,get,get,00000000,00000000,get,C:\Program Files (x86)\Fast!,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\nsjF660.tmp, xrefs: 00401821, 0040183F
get, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\FAST!\Temp\, xrefs: 00401835, 00401851
C:\Program Files (x86)\Fast!, xrefs: 0040179E

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\Fast!$C:\Users\user\AppData\Local\FAST!\Temp\$C:\Users\user\AppData\Local\Temp\nsjF660.tmp$get
API String ID: 1941528284-1909764701
Opcode ID: ab293c35546dfc3782223427498d6aa4f9bfee0ec5176a09a0fb6643c1be96c6
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: ab293c35546dfc3782223427498d6aa4f9bfee0ec5176a09a0fb6643c1be96c6
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00403418), ref: 004055FA
SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000), ref: 00406779

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\
API String ID: 1495540970-1215285048
Opcode ID: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Strings

\, xrefs: 004068C2
%s%S.dll, xrefs: 004068E6
UXTHEME, xrefs: 004068A3

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 1e4de5253702851df6d0b6f642b82d6f2ecc2e1b33ad35e1f152e248e008f3c4
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 1e4de5253702851df6d0b6f642b82d6f2ecc2e1b33ad35e1f152e248e008f3c4
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

4#v, xrefs: 00405F16
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14
C:\, xrefs: 00405F1A, 00405F1F, 00405F25, 00405F66, 00405F6C, 00405F74, 00405F7C

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4#v$C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-1150081906
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3936084776
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF660.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsjF660.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjF660.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsjF660.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsjF660.tmp
API String ID: 2655323295-3276570554
Opcode ID: eb1a2893963f699a3576f9d9343ac39c609614edfb45ea7287c3b3745176a0f7
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: eb1a2893963f699a3576f9d9343ac39c609614edfb45ea7287c3b3745176a0f7
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069
C:\Users\user\AppData\Local\Temp\, xrefs: 00406061

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNEL32(?,C:\Program Files (x86)\Fast!,?,00000000,000000F0), ref: 0040164D

Strings

C:\Program Files (x86)\Fast!, xrefs: 00401640

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Program Files (x86)\Fast!
API String ID: 1892508949-1788482285
Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Remove folder: ,?,?,00406672,80000002), ref: 00406451
RegCloseKey.KERNEL32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\), ref: 0040645C

Strings

Remove folder: , xrefs: 00406412

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseQueryValue
String ID: Remove folder:
API String ID: 3356406503-1958208860
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(02F375C8), ref: 00401C0B
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C1D

Part of subcall function 0040657A: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000), ref: 00406779

Strings

get, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: get
API String ID: 3292104215-4248514160
Opcode ID: cecd7903579db09396e99fcb4041446ac8fea00c0e28d0f13f956e9ee607e8f0
Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
Opcode Fuzzy Hash: cecd7903579db09396e99fcb4041446ac8fea00c0e28d0f13f956e9ee607e8f0
Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406008: GetFileAttributesW.KERNEL32(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
Part of subcall function 00406008: SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C1C
DeleteFileW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C24
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Program Files (x86)\Fast!, xrefs: 00402269

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Program Files (x86)\Fast!
API String ID: 542301482-1788482285
Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjF660.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: f0203ba3881819d7b9bb9119f6d82b13770a830527b7165a928350ff739dcab4
Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
Opcode Fuzzy Hash: f0203ba3881819d7b9bb9119f6d82b13770a830527b7165a928350ff739dcab4
Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
CloseHandle.KERNEL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D

Strings

C:\Users\user\AppData\Local\Temp\nsjF660.tmp\, xrefs: 00403B31

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\
API String ID: 2962429428-2611537087
Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00406438,?,00000000,?,?,Remove folder: ,?), ref: 004063CE

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Uniqueness

Uniqueness Score: -1.00%

Function 004062FD Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,?,00000005,00405DFB,?,00000000,000000F1,?,?,?,?,?), ref: 00406307

Part of subcall function 00406183: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
Part of subcall function 00406183: wsprintfA.USER32 ref: 00406202
Part of subcall function 00406183: GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
Part of subcall function 00406183: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
Part of subcall function 00406183: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
Part of subcall function 00406183: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 1930046112-0
Opcode ID: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
Instruction ID: 786f9f27e87e5c9ea407ae46cb6f26f26cce76303f9e9442b57226035b255668
Opcode Fuzzy Hash: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
Instruction Fuzzy Hash: 4AD05232108201BECA011B40ED04A0ABBA2EB84316F11842EF599A40B0EB3280219B09

Uniqueness

Uniqueness Score: -1.00%

Function 00404499 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 0040657A: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000), ref: 00406779

SetDlgItemTextW.USER32(?,?,00000000), ref: 004044B3

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: ItemTextlstrcatlstrlen
String ID:
API String ID: 281422827-0
Opcode ID: 90e9d348aac44dd859050291e9807f2f15480ffb268b4e012463b180631e3b26
Instruction ID: 6ac98b26730712a62f5b3967fa7f39b4c61dbbfa6ef1674fce18da22a1fc1fc0
Opcode Fuzzy Hash: 90e9d348aac44dd859050291e9807f2f15480ffb268b4e012463b180631e3b26
Instruction Fuzzy Hash: D3C08C35008200BFD641A714EC42F0FB7A8FFA031AF00C42EB05CA10D1C63494208A2A

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00040400,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B63 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B72

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000,004258D1,762323A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

N, xrefs: 0040519B
, xrefs: 004054D4
M, xrefs: 004050BA

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

Remove folder: , xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$Remove folder:
API String ID: 3103080414-3051863454
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Remove folder: ,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

A, xrefs: 00404AAD
C:\Program Files (x86)\Fast!, xrefs: 00404ADA
Remove folder: , xrefs: 00404AEB, 00404AF0, 00404AFB

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Program Files (x86)\Fast!$Remove folder:
API String ID: 2624150263-1220325781
Opcode ID: fab986b41fe51bcb83dfe55d65232c7215597a26c5e3df290e301c6af6088bb7
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: fab986b41fe51bcb83dfe55d65232c7215597a26c5e3df290e301c6af6088bb7
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 8d52cae6b0df5babf044fe540a8f61f10365d92318d6db6e700b5564579bcd37
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 8d52cae6b0df5babf044fe540a8f61f10365d92318d6db6e700b5564579bcd37
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816
C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-826357637
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsjF660.tmp\,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

MS Shell Dlg, xrefs: 00401EB9

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: MS Shell Dlg
API String ID: 2584051700-76309092
Opcode ID: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(07D4078B,00000064,07D430F8), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: 34baaeb4f482044ab67dd7918236f7f229881b82dd6befd7adca30260b95ec65
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
CharNextW.USER32(00000000), ref: 00405ECA
CharNextW.USER32(00000000), ref: 00405EE2

Strings

C:\, xrefs: 00405EB8

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\FAST!\Temp\), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsjF660.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\FAST!\Temp\, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\FAST!\Temp\$C:\Users\user\AppData\Local\Temp\nsjF660.tmp
API String ID: 1659193697-1960729512
Opcode ID: 00933c64229d8af25222ad9bfa8c1bb017ce3e6fae46a45fef74913abf3a9e56
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: 00933c64229d8af25222ad9bfa8c1bb017ce3e6fae46a45fef74913abf3a9e56
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(00040400,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\FAST!\Temp,004030E9,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\FAST!\Temp,004030E9,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,C:\Users\user\AppData\Local\FAST!\Temp\Setupuser.exe,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\AppData\Local\FAST!\Temp, xrefs: 00405E58

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\FAST!\Temp
API String ID: 2709904686-822552318
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000007.00000002.2781952639.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2781920513.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782003111.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000431000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000436000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000043E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000440000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.0000000000457000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782113497.000000000045A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2782554772.000000000045B000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_Setupuser.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: diskspd.exePID: 7800, Parent PID: 7748COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	1897
Total number of Limit Nodes:	9

Executed Functions

Function 01001F60 Relevance: 116.5, APIs: 35, Strings: 31, Instructions: 1033filesynchronizationthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01001F6A
srand.MSVCRT ref: 01001FFE
GetCurrentThread.KERNEL32 ref: 01002066
SetThreadGroupAffinity.KERNELBASE(00000000,?,00000000), ref: 01002073
atoi.MSVCRT ref: 0100212D
sprintf_s.MSVCRT ref: 01002146
isalpha.MSVCRT ref: 01002161
sprintf_s.MSVCRT ref: 01002188
CreateFileA.KERNELBASE(?,-C0000001,00000003,00000000,00000003,00000080,00000000,?), ref: 0100223D
SetFileInformationByHandle.KERNEL32(?,0000000C,?,00000004), ref: 010022EC
GetFileSize.KERNEL32(?,?), ref: 01002338
GetLastError.KERNEL32 ref: 0100234B
__aulldiv.LIBCMT ref: 010024C2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010026CF
SetFilePointerEx.KERNEL32(00000010,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 01002707
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 01002715
GetLastError.KERNEL32 ref: 01002744
GetLastError.KERNEL32(?,?,00000001,00000000), ref: 01002785
GetLastError.KERNEL32 ref: 010027FD
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 01002856
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 01002861
Sleep.KERNEL32(00000000,?,00000004,?,?,?), ref: 010028F9
ReadFile.KERNEL32(00000010,00000001,00000004,?,00000000,?,00000004,?,?,?), ref: 01002955
WriteFile.KERNEL32(00000010,00000000,00000000,00000000,00000004,?,00000000,?,00000004,?,?,?), ref: 01002979
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002A57
SetFilePointerEx.KERNEL32(00000010,00000000,?,00000000,00000000), ref: 01002A8F

Part of subcall function 0100813D: GetTickCount64.KERNEL32 ref: 01008148

GetLastError.KERNEL32 ref: 01002ACE
CreateIoCompletionPort.KERNELBASE(00000010,?,00000000,00000001,?,?), ref: 01002B1D
GetLastError.KERNEL32 ref: 01002B42
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002C72
WaitForSingleObject.KERNEL32(?,000000FF,00000001,?,?), ref: 01002D1E
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01002D95
FindCloseChangeNotification.KERNELBASE(?), ref: 01002DAA
CloseHandle.KERNEL32(?), ref: 01002DC3
??3@YAXPAX@Z.MSVCRT ref: 01002DD1

Strings

Waiting for a signal to start failed (error code: %u), xrefs: 01002868
t[%u:%u] initial I/O op at %I64u (starting in block: %I64u), xrefs: 01002C93
The file is too small. File: '%s' relative thread %u size: %I64u, base offset: %I64u block size: %u, xrefs: 010027D3
read, xrefs: 01002AC2
Error opening file: %s [%u], xrefs: 01002805
thread %u: waiting for a signal to start, xrefs: 0100283C, 01002D04
t[%u] new I/O op at %I64u (starting in block: %I64u), xrefs: 01002A71
Error getting file size, xrefs: 01002756
Error setting IO priority for file: %s [%u], xrefs: 0100274C
affinitizing thread %u to Group %u / CPU %u, xrefs: 01002032
The file is too small or there has been an error during getting file size, xrefs: 01002762
SeLockMemoryPrivilege, xrefs: 010020BC
FATAL ERROR: invalid filename, xrefs: 0100282A
Error setting file pointer. Error code: %d., xrefs: 0100271C
thread %u started (random seed: %u), xrefs: 0100254C
t[%u:%u] error during %s error code: %u), xrefs: 01002ADE
Failed to disable local caching (error %u). NOTE: only supported on remote filesystems with Windows 8 or newer., xrefs: 01002727
Warning - file size is less than MaxFileSize, xrefs: 01002389
FATAL ERROR: Could not allocate a buffer bytes for target '%s'. Error code: 0x%x, xrefs: 0100278D
\\.\PhysicalDrive%u, xrefs: 01002134
thread %u: received signal to start, xrefs: 0100287A, 01002D35
\\.\%c:, xrefs: 01002176
write, xrefs: 01002AC9, 01002AD5
Warning: thread %u transfered %u bytes instead of %u bytes, xrefs: 010029A2
thread %u: Error setting file pointer, xrefs: 01002AB1
Error setting affinity mask in thread %u, xrefs: 01002083
ERROR:, xrefs: 010020B7
thread %u starting: file '%s' relative thread %u random pattern, xrefs: 01002474
thread %u starting: file '%s' relative thread %u file offset: %I64u (starting in block: %I64u), xrefs: 010024E2
unable to create IO completion port (error code: %u), xrefs: 01002B49
t[%u] initial I/O op at %I64u (starting in block: %I64u), xrefs: 010026E9

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorLast$File$Unothrow_t@std@@@__ehfuncinfo$??2@$CloseCreateHandleObjectPointerSingleThreadWaitsprintf_s$??3@AffinityChangeCompletionCount64CurrentFindFreeGroupH_prolog3_InformationNotificationPortReadSizeSleepTickVirtualWrite__aulldivatoiisalphasrand
String ID: ERROR:$Error getting file size$Error opening file: %s [%u]$Error setting IO priority for file: %s [%u]$Error setting affinity mask in thread %u$Error setting file pointer. Error code: %d.$FATAL ERROR: Could not allocate a buffer bytes for target '%s'. Error code: 0x%x$FATAL ERROR: invalid filename$Failed to disable local caching (error %u). NOTE: only supported on remote filesystems with Windows 8 or newer.$SeLockMemoryPrivilege$The file is too small or there has been an error during getting file size$The file is too small. File: '%s' relative thread %u size: %I64u, base offset: %I64u block size: %u$Waiting for a signal to start failed (error code: %u)$Warning - file size is less than MaxFileSize$Warning: thread %u transfered %u bytes instead of %u bytes$\\.\%c:$\\.\PhysicalDrive%u$affinitizing thread %u to Group %u / CPU %u$read$t[%u:%u] error during %s error code: %u)$t[%u:%u] initial I/O op at %I64u (starting in block: %I64u)$t[%u] initial I/O op at %I64u (starting in block: %I64u)$t[%u] new I/O op at %I64u (starting in block: %I64u)$thread %u started (random seed: %u)$thread %u starting: file '%s' relative thread %u file offset: %I64u (starting in block: %I64u)$thread %u starting: file '%s' relative thread %u random pattern$thread %u: Error setting file pointer$thread %u: received signal to start$thread %u: waiting for a signal to start$unable to create IO completion port (error code: %u)$write
API String ID: 2250426-2870866691
Opcode ID: 4c0f6276e26b1a4b055f2db324aa6ebafd7531bfd55497681c56615943e61ecb
Instruction ID: 4910da9850f47bf035b9e10719371a292927778a2db7a8cd014f182f2cb3c795
Opcode Fuzzy Hash: 4c0f6276e26b1a4b055f2db324aa6ebafd7531bfd55497681c56615943e61ecb
Instruction Fuzzy Hash: D892B1709002159FEF66DF64CC88BE9BBB5BF04310F0481D9E989AB296CB35D985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01001175 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000020,000000FF,000000B8,?,?), ref: 0100119B
OpenProcessToken.ADVAPI32(00000000,?,?), ref: 010011A2
GetLastError.KERNEL32(?,?), ref: 010011AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeLockMemoryPrivilege,?), ref: 010011D4
GetLastError.KERNEL32(?,?), ref: 010011DE
FindCloseChangeNotification.KERNELBASE(000000FF,?,?), ref: 01001232

Strings

SeLockMemoryPrivilege, xrefs: 010011CA, 010011E5, 01001218
%s Error adjusting token privileges for %s (error code: %u), xrefs: 0100121A
%s Error opening process token (error code: %u), xrefs: 010011B4
%s Error looking up privilege value %s (error code: %u), xrefs: 010011E7
ERROR:, xrefs: 010011B3, 010011E6, 01001219

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorLastProcess$ChangeCloseCurrentFindLookupNotificationOpenPrivilegeTokenValue
String ID: %s Error adjusting token privileges for %s (error code: %u)$%s Error looking up privilege value %s (error code: %u)$%s Error opening process token (error code: %u)$ERROR:$SeLockMemoryPrivilege
API String ID: 3977855488-962059016
Opcode ID: 51ab3c611cb4e145f1c533acbd7a2f79b730ed0232876135e786e204f4ec3890
Instruction ID: f7e8dce84208f10dc36a08da580340d442c6bb23fa9991a6ca089a4197416a54
Opcode Fuzzy Hash: 51ab3c611cb4e145f1c533acbd7a2f79b730ed0232876135e786e204f4ec3890
Instruction Fuzzy Hash: 2E21B670600209BFF726ABA59C0EEBF7B7DEB41351F100259B595D2081DA398905C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 01001446 Relevance: 1.5, APIs: 1, Instructions: 27
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 01001471

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0c3f98c07c303d1405c42ce7432818fb293a650d64682aba9e40e7898381c31b
Instruction ID: e1b8ab3f553324e8ed529cc6732c6dcba07d5ff84827cae5dfedd07bdf40e226
Opcode Fuzzy Hash: 0c3f98c07c303d1405c42ce7432818fb293a650d64682aba9e40e7898381c31b
Instruction Fuzzy Hash: B9E09B31710119ABD714DF65DC12FAE7B9CEB5C350F01805DB95A9B1C4CD756D008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01001733 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 359
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000010,00000001,?,00000000,?,?,00000060,01002D66), ref: 01001927
WriteFile.KERNEL32(00000010,00000000,00000001,00000001,?,00000000,?,?,00000060,01002D66), ref: 01001953

Part of subcall function 01001490: __aullrem.LIBCMT ref: 01001502
Part of subcall function 01001490: __aullrem.LIBCMT ref: 010015DE

GetLastError.KERNEL32 ref: 01001960
Sleep.KERNEL32(?,?,?,00000060,01002D66), ref: 010019B3
GetQueuedCompletionStatus.KERNEL32(01002D66,?,`f-,00000010,00000001,?,00000060,01002D66), ref: 010019CA

Part of subcall function 00FFA975: QueryPerformanceCounter.KERNEL32(00000000,00000001,00000001,?,01001E0F,000000B8,00000000,?), ref: 00FFA980

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01001AB7
??3@YAXPAX@Z.MSVCRT ref: 01001B0F
GetLastError.KERNEL32 ref: 01001B2D

Strings

write, xrefs: 01001B28, 01001B34
t[%u] error during %s error code: %u), xrefs: 01001B38
error during overlapped IO operation (error code: %u), xrefs: 01001B48
t[%u:%u] new I/O op at %I64u (starting in block: %I64u), xrefs: 01001ACF
read, xrefs: 01001B21
Warning: thread %u transferred %u bytes instead of %u bytes, xrefs: 01001A0F
`f-, xrefs: 010019BF, 010019C2

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorFileLast__aullrem$??3@CompletionCounterPerformanceQueryQueuedReadSleepStatusUnothrow_t@std@@@Write__ehfuncinfo$??2@
String ID: Warning: thread %u transferred %u bytes instead of %u bytes$`f-$error during overlapped IO operation (error code: %u)$read$t[%u:%u] new I/O op at %I64u (starting in block: %I64u)$t[%u] error during %s error code: %u)$write
API String ID: 202472602-2475727796
Opcode ID: fe898f1e9503627864fc48a31534f30c3e2d7e2123ffa28433f77717ac0aae4e
Instruction ID: bd11dc0bfcf54371aaf7f28440fbf54d49aedbb321099f502eacf23ad34e11ce
Opcode Fuzzy Hash: fe898f1e9503627864fc48a31534f30c3e2d7e2123ffa28433f77717ac0aae4e
Instruction Fuzzy Hash: 01E14E71E002189FEF56DFA8C884AADBBF6FF48310F1440A9E949AB2A5D731D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01002E86 Relevance: 6.1, APIs: 4, Instructions: 60
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy_s.MSVCRT ref: 01002EB3
GetFileAttributesA.KERNELBASE(00000000), ref: 01002EEB
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 01002EFF
GetLastError.KERNEL32 ref: 01002F25

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: AttributesCreateDirectoryErrorFileLaststrcpy_s
String ID:
API String ID: 354552961-0
Opcode ID: 1ab53c79a3e19258e7a46aacc09c63cf4f49914a67a207cb6f6675100c368292
Instruction ID: 0332188e0549d4ecd4dce0541862a94ede2de95b614d89d0bfdecdda27091118
Opcode Fuzzy Hash: 1ab53c79a3e19258e7a46aacc09c63cf4f49914a67a207cb6f6675100c368292
Instruction Fuzzy Hash: 1C11C830908284AAF7738B289C4C7BA7BE89B45390F5405EDE5C5D20C2DAB859C5C751

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBFD5 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLargePageMinimum.KERNEL32 ref: 00FFBFF6
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00FFC01B
memset.MSVCRT ref: 00FFC03D

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: AllocLargeMinimumPageVirtualmemset
String ID:
API String ID: 3383278933-0
Opcode ID: ab3d0985c1d899f62a23fd0a939cd3257216098f11f77e4d84cc428e511f0e53
Instruction ID: b2088ad8b177c7e21e308a83378ab042ae280011bccb7c4a6bdfe3a6129594a6
Opcode Fuzzy Hash: ab3d0985c1d899f62a23fd0a939cd3257216098f11f77e4d84cc428e511f0e53
Instruction Fuzzy Hash: 671159B1D0522DFFEB218AA58884BBBBF6CEF51710F044059EA40D3251CA355C4AE7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA58F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::tr1::_Xmem.LIBCPMT ref: 00FFA5B5

Part of subcall function 0100CA2B: malloc.MSVCRT ref: 0100CA42

Strings

@, xrefs: 00FFA747

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: Xmemmallocstd::tr1::_
String ID: @
API String ID: 257571584-2766056989
Opcode ID: e557915b018f3de789a6a5b814599bebcef38dc8af605dfa46dc7d758236d689
Instruction ID: 43d5da794b869aa259f6dce57d7d390ab81e4b32506ca07bbc44f5769f908649
Opcode Fuzzy Hash: e557915b018f3de789a6a5b814599bebcef38dc8af605dfa46dc7d758236d689
Instruction Fuzzy Hash: 28D05EB170860F0B6A1C627D54144BA328C8E547B1B1C0229762BC65E0ED20EC40506A

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA49C Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00FFA4A3
memcpy.MSVCRT ref: 00FFA53F

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: H_prolog3_catchmemcpy
String ID:
API String ID: 1910038392-0
Opcode ID: 052c34f7ccf53851fc1f993f75ab6a9906d50604afca1249db68c4a3a916d9fb
Instruction ID: 7ef2b523705808bb4ec093c6a143c234220cc578cfd175e99180905081653fcc
Opcode Fuzzy Hash: 052c34f7ccf53851fc1f993f75ab6a9906d50604afca1249db68c4a3a916d9fb
Instruction Fuzzy Hash: FB212BF1E00709DBDB24DF98C8807BDB7B1AF40720F18061DD69A5B2E0CBB0A9459792

Uniqueness

Uniqueness Score: -1.00%

Function 0100834C Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 01008379
vsprintf_s.MSVCRT ref: 0100838D

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: memsetvsprintf_s
String ID:
API String ID: 3742729749-0
Opcode ID: ffe4342fce3222ce0dd9de668b47ca581545b5909d2431ed4ec72b809e648192
Instruction ID: 9158ef9df71e94083d9da7573439df1be1bd9167811beeae2b31ed0f5b6c4251
Opcode Fuzzy Hash: ffe4342fce3222ce0dd9de668b47ca581545b5909d2431ed4ec72b809e648192
Instruction Fuzzy Hash: CD01817690015DABDB21EFA5DD44EEBB3BCEF88311F000195B748D3140DA78EA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01005A5C Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.MSVCRT ref: 01005A7C
??3@YAXPAX@Z.MSVCRT ref: 01005A94

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ??3@memmove
String ID:
API String ID: 1783365933-0
Opcode ID: fab6de1eb5036bbed368adb19ac5da49e4ce7f42cb4ef1ba3dce0dff8b641b44
Instruction ID: fa4f0556155e9df531cb53d0ca6e63037c47b4f10b72f4aacf83ded41793fbcf
Opcode Fuzzy Hash: fab6de1eb5036bbed368adb19ac5da49e4ce7f42cb4ef1ba3dce0dff8b641b44
Instruction Fuzzy Hash: 7BF04F76000609EFD731CF28D884896FBF9EF94360B20862EF9D943254D736A960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100CA2B Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_callnewh.MSVCRT ref: 0100CA35
malloc.MSVCRT ref: 0100CA42

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: _callnewhmalloc
String ID:
API String ID: 2285944120-0
Opcode ID: 7b02ef4027c67943fc8fff91bb7076556e2012748ceef8498b1393fa9e643a67
Instruction ID: 68cd6efc13d226ffe529efaef1cce555e4705ecff7d7c46fc371d530b03edf1c
Opcode Fuzzy Hash: 7b02ef4027c67943fc8fff91bb7076556e2012748ceef8498b1393fa9e643a67
Instruction Fuzzy Hash: A2D0A73500850AA6BF22D599DD1456E3F585A51264F1402D0B58C854E0DF21C9919550

Uniqueness

Uniqueness Score: -1.00%

Function 01005FF0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::tr1::_Xmem.LIBCPMT ref: 0100601B

Part of subcall function 0100CA2B: malloc.MSVCRT ref: 0100CA42

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: Xmemmallocstd::tr1::_
String ID:
API String ID: 257571584-0
Opcode ID: be6cc1b887e42288d6a360c469d7365e5a3a82c27b7e35e19d8eef7028465c8a
Instruction ID: 3d5b13f6d1623b6db5cc58f2092382040f551ed7aeda2c677074ea0b5b9cc4fb
Opcode Fuzzy Hash: be6cc1b887e42288d6a360c469d7365e5a3a82c27b7e35e19d8eef7028465c8a
Instruction Fuzzy Hash: 68D05E7224860B03BA1AE1ADA4104AF77D98A96770F1402ADB6A6CA5C0DE22D9515069

Uniqueness

Uniqueness Score: -1.00%

Function 010047A3 Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.MSVCRT ref: 010047DA

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: b842250755622c7fe977457420819805d6019044a526c6d664b4914ec8722422
Instruction ID: cc6c70b549e1e8e45e47db39839f860268af345bb7992311f4c9b66fe493079e
Opcode Fuzzy Hash: b842250755622c7fe977457420819805d6019044a526c6d664b4914ec8722422
Instruction Fuzzy Hash: 4A11C436A000118BDF15CE6CC99456DBBE9FB85221B598369EE59CB2C8DB70EE01C7E4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FFD640 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00FFD74E
fprintf.MSVCRT ref: 00FFD777
fprintf.MSVCRT ref: 00FFD795
fprintf.MSVCRT ref: 00FFD7D5

Strings

ERROR: core %u is out of range, xrefs: 00FFD740, 00FFD7A9
ERROR: incomplete affinity specification, xrefs: 00FFD7C7
ERROR: syntax error parsing affinity at highlighted character-%s, xrefs: 00FFD769
ERROR: group %u is out of range, xrefs: 00FFD70E

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: fprintf
String ID: ERROR: core %u is out of range$ERROR: group %u is out of range$ERROR: incomplete affinity specification$ERROR: syntax error parsing affinity at highlighted character-%s
API String ID: 383729395-1019511092
Opcode ID: 0b78a2f7e4a3d8cdc5286d416c0682b411e2b638711118614a6a0b3af8fcd20b
Instruction ID: e070be77716dd0b7d0e9fa7f2c6767d944b1248c065f1357eceb3c65f6cd0a73
Opcode Fuzzy Hash: 0b78a2f7e4a3d8cdc5286d416c0682b411e2b638711118614a6a0b3af8fcd20b
Instruction Fuzzy Hash: D4418E33D4425C6EEB206A74D85E7FE7B268F12760F284015EF886B1E2D5760C44FB91

Uniqueness

Uniqueness Score: -1.00%

Function 01000FB0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 01000FD6
GetLastError.KERNEL32 ref: 01000FE3
DeviceIoControl.KERNEL32(?,00074004,00000000,00000000,?,00000020,?,00000003), ref: 01001015
GetLastError.KERNEL32 ref: 01001021
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01001033
GetLastError.KERNEL32 ref: 0100103D
CloseHandle.KERNEL32(?), ref: 01001060

Strings

ERROR: Could not obtain partition info (error code: %u), xrefs: 01001051
ERROR: Failed while waiting for event to be signaled (error code: %u), xrefs: 01001044
ERROR: Failed to create event (error code: %u), xrefs: 01000FEA

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceEventHandleObjectSingleWait
String ID: ERROR: Could not obtain partition info (error code: %u)$ERROR: Failed to create event (error code: %u)$ERROR: Failed while waiting for event to be signaled (error code: %u)
API String ID: 3935222316-1037057180
Opcode ID: 47a4c84613fd5cea5134fe8f31df71540f3e3c6cb0c765fec775b079b695bc54
Instruction ID: 39eb561262efe57e4a86fd1ece8d4088f9a019fcf4a8534e78fcc704d5f13bbf
Opcode Fuzzy Hash: 47a4c84613fd5cea5134fe8f31df71540f3e3c6cb0c765fec775b079b695bc54
Instruction Fuzzy Hash: A621B631A00145BBA737DAA5DC08DBFBB7AEF88710F104229FA81E21D4DE75D800C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0100D498 Relevance: 7.6, APIs: 5, Instructions: 53timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0100D4CE
GetCurrentProcessId.KERNEL32 ref: 0100D4DD
GetCurrentThreadId.KERNEL32 ref: 0100D4E6
GetTickCount.KERNEL32 ref: 0100D4EF
QueryPerformanceCounter.KERNEL32(?), ref: 0100D504

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9c0839e30089a8e5455bb10fbb46968f588fa7f21255d08d3eb1c0e3833078fc
Instruction ID: 35f272a32860b1cb72914fc97d72e40209ec1214510db8c405220c75f10eb2bc
Opcode Fuzzy Hash: 9c0839e30089a8e5455bb10fbb46968f588fa7f21255d08d3eb1c0e3833078fc
Instruction Fuzzy Hash: C5115E71D01208DBDB26CBF8D5486AEBBF5FB08351F614599F546D7248DB399A00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100D5FA Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0100D735,00FF1E98), ref: 0100D601
UnhandledExceptionFilter.KERNEL32(0100D735,?,0100D735,00FF1E98), ref: 0100D60A
GetCurrentProcess.KERNEL32(C0000409,?,0100D735,00FF1E98), ref: 0100D615
TerminateProcess.KERNEL32(00000000,?,0100D735,00FF1E98), ref: 0100D61C

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e6fedbebd3b58efd78c35be9ea4bdfbab62276aa62310178aa610c876db88970
Instruction ID: 7b67b3a8cd84a8345f72cf3b92c445d4c96414ddbbe949ecd068f0ec8e6cedb7
Opcode Fuzzy Hash: e6fedbebd3b58efd78c35be9ea4bdfbab62276aa62310178aa610c876db88970
Instruction Fuzzy Hash: 57D0C972000108ABC7222BE1EC0CA593E2BEB44252F268600F34A82006CA3E4451CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFCEC4 Relevance: 436.0, APIs: 130, Strings: 119, Instructions: 281COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00FFCED1
printf.MSVCRT ref: 00FFCEDF
printf.MSVCRT ref: 00FFCEF4
printf.MSVCRT ref: 00FFCEFB
printf.MSVCRT ref: 00FFCF06
printf.MSVCRT ref: 00FFCF11
printf.MSVCRT ref: 00FFCF1C
printf.MSVCRT ref: 00FFCF27
printf.MSVCRT ref: 00FFCF2E
printf.MSVCRT ref: 00FFCF39
printf.MSVCRT ref: 00FFCF44
printf.MSVCRT ref: 00FFCF4F
printf.MSVCRT ref: 00FFCF5A
printf.MSVCRT ref: 00FFCF68
printf.MSVCRT ref: 00FFCF75
printf.MSVCRT ref: 00FFCF82
printf.MSVCRT ref: 00FFCF8F
printf.MSVCRT ref: 00FFCF9C
printf.MSVCRT ref: 00FFCFA9
printf.MSVCRT ref: 00FFCFB6
printf.MSVCRT ref: 00FFCFC3
printf.MSVCRT ref: 00FFCFD0
printf.MSVCRT ref: 00FFCFDD
printf.MSVCRT ref: 00FFCFEA
printf.MSVCRT ref: 00FFCFF7
printf.MSVCRT ref: 00FFD004
printf.MSVCRT ref: 00FFD011
printf.MSVCRT ref: 00FFD01E
printf.MSVCRT ref: 00FFD02B
printf.MSVCRT ref: 00FFD038
printf.MSVCRT ref: 00FFD045
printf.MSVCRT ref: 00FFD052
printf.MSVCRT ref: 00FFD05F
printf.MSVCRT ref: 00FFD06C
printf.MSVCRT ref: 00FFD079
printf.MSVCRT ref: 00FFD086
printf.MSVCRT ref: 00FFD093
printf.MSVCRT ref: 00FFD0A0
printf.MSVCRT ref: 00FFD0AD
printf.MSVCRT ref: 00FFD0BA
printf.MSVCRT ref: 00FFD0C7
printf.MSVCRT ref: 00FFD0D4
printf.MSVCRT ref: 00FFD0E1
printf.MSVCRT ref: 00FFD0EE
printf.MSVCRT ref: 00FFD0FB
printf.MSVCRT ref: 00FFD108
printf.MSVCRT ref: 00FFD115
printf.MSVCRT ref: 00FFD122
printf.MSVCRT ref: 00FFD12F
printf.MSVCRT ref: 00FFD13C
printf.MSVCRT ref: 00FFD149
printf.MSVCRT ref: 00FFD156
printf.MSVCRT ref: 00FFD163
printf.MSVCRT ref: 00FFD170
printf.MSVCRT ref: 00FFD17D
printf.MSVCRT ref: 00FFD18A
printf.MSVCRT ref: 00FFD197
printf.MSVCRT ref: 00FFD1A4
printf.MSVCRT ref: 00FFD1B1
printf.MSVCRT ref: 00FFD1BE
printf.MSVCRT ref: 00FFD1CB
printf.MSVCRT ref: 00FFD1D8
printf.MSVCRT ref: 00FFD1E5
printf.MSVCRT ref: 00FFD1F2
printf.MSVCRT ref: 00FFD1FF
printf.MSVCRT ref: 00FFD20C
printf.MSVCRT ref: 00FFD219
printf.MSVCRT ref: 00FFD226
printf.MSVCRT ref: 00FFD233
printf.MSVCRT ref: 00FFD240
printf.MSVCRT ref: 00FFD24D
printf.MSVCRT ref: 00FFD25A
printf.MSVCRT ref: 00FFD267
printf.MSVCRT ref: 00FFD274
printf.MSVCRT ref: 00FFD281
printf.MSVCRT ref: 00FFD28E
printf.MSVCRT ref: 00FFD29B
printf.MSVCRT ref: 00FFD2A8
printf.MSVCRT ref: 00FFD2B5
printf.MSVCRT ref: 00FFD2C2
printf.MSVCRT ref: 00FFD2CF
printf.MSVCRT ref: 00FFD2DC
printf.MSVCRT ref: 00FFD2E9
printf.MSVCRT ref: 00FFD2F6
printf.MSVCRT ref: 00FFD303
printf.MSVCRT ref: 00FFD30A
printf.MSVCRT ref: 00FFD315
printf.MSVCRT ref: 00FFD320
printf.MSVCRT ref: 00FFD32B
printf.MSVCRT ref: 00FFD336
printf.MSVCRT ref: 00FFD33D
printf.MSVCRT ref: 00FFD348
printf.MSVCRT ref: 00FFD34F
printf.MSVCRT ref: 00FFD35A
printf.MSVCRT ref: 00FFD365
printf.MSVCRT ref: 00FFD371
printf.MSVCRT ref: 00FFD37C
printf.MSVCRT ref: 00FFD383
printf.MSVCRT ref: 00FFD38E
printf.MSVCRT ref: 00FFD395
printf.MSVCRT ref: 00FFD3A3
printf.MSVCRT ref: 00FFD3AA
printf.MSVCRT ref: 00FFD3B5
printf.MSVCRT ref: 00FFD3BC
printf.MSVCRT ref: 00FFD3C7
printf.MSVCRT ref: 00FFD3D2
printf.MSVCRT ref: 00FFD3DD
printf.MSVCRT ref: 00FFD3E8
printf.MSVCRT ref: 00FFD3F3
printf.MSVCRT ref: 00FFD3FE
printf.MSVCRT ref: 00FFD409
printf.MSVCRT ref: 00FFD414
printf.MSVCRT ref: 00FFD41F
printf.MSVCRT ref: 00FFD42A
printf.MSVCRT ref: 00FFD435
printf.MSVCRT ref: 00FFD440
printf.MSVCRT ref: 00FFD44E
printf.MSVCRT ref: 00FFD45B
printf.MSVCRT ref: 00FFD468
printf.MSVCRT ref: 00FFD476
printf.MSVCRT ref: 00FFD47D
printf.MSVCRT ref: 00FFD488
printf.MSVCRT ref: 00FFD493
printf.MSVCRT ref: 00FFD49E
printf.MSVCRT ref: 00FFD4AC
printf.MSVCRT ref: 00FFD4B7
printf.MSVCRT ref: 00FFD4C2
printf.MSVCRT ref: 00FFD4CD
printf.MSVCRT ref: 00FFD4DB
printf.MSVCRT ref: 00FFD4E2

Strings

By default, the write buffers are filled with a repeating pattern (0, 1, 2, ..., 255, 0, 1, ...), xrefs: 00FFD343
-g<bytes per ms> throughput per-thread per-target throttled to given bytes per millisecond, xrefs: 00FFD0B3
may be specified, and groups/cores may be repeated. If no group is specified, 0 is assumed., xrefs: 00FFCF88
<partition_drive_letter>:, xrefs: 00FFCF22
-yf<eventname> signals event <eventname> after the actual run finishes (no cooldown), xrefs: 00FFD377
-Sw enable writethrough (no hardware write caching), equivalent to FILE_FLAG_WRITE_THROUGH, xrefs: 00FFD260
-c<size>[K|M|G|b] create files of the given size., xrefs: 00FFCFF0
per-target: text output provides IOPs standard deviation, XML provides the full, xrefs: 00FFD024
[default=0] (starting offset = base file offset + (thread number * <offs>), xrefs: 00FFD287
-S[bhruw] control caching behavior [default: caching is enabled, no writethrough], xrefs: 00FFD205
specifies Processor Groups for the following CPU core #s. Multiple Processor Groups, xrefs: 00FFCF7B
-F<count> total number of threads (conflicts with -t), xrefs: 00FFD0A6
-Sh equivalent -Suw, xrefs: 00FFD239
-T<offs>[K|M|G|b] starting stride between I/O operations performed on the same target by different threads, xrefs: 00FFD27A
but promotes a more sequential pattern., xrefs: 00FFD1EB
for example to test only the first sectors of a disk, xrefs: 00FFD058
manipulate a shared offset with InterlockedIncrement, which may reduce throughput,, xrefs: 00FFD1DE
-W<seconds> warm up time - duration of the test before measurements start [default=5s], xrefs: 00FFD2D5
Event Tracing:, xrefs: 00FFD3C2
In non-interlocked mode, threads do not coordinate, so the pattern of offsets, xrefs: 00FFD1C4
-eIMAGE_LOAD image load, xrefs: 00FFD404
-L measure latency statistics, xrefs: 00FFD11B
-B<offs>[K|M|G|b] base target offset in bytes or KiB/MiB/GiB/blocks [default=0], xrefs: 00FFCFD6
IMPORTANT: a write test will destroy existing data without a warning, xrefs: 00FFD2C8
-I<priority> Set IO priority to <priority>. Available values are: 1-very low, 2-low, 3-normal (default), xrefs: 00FFD101
(creates a notification event if <eventname> does not exist), xrefs: 00FFD36B, 00FFD370, 00FFD382, 00FFD394, 00FFD3A9
%s -b4K -t2 -r -o32 -d10 -h testfile.dat, xrefs: 00FFD4A7
as seen by the target will not be truly sequential. Under -si the threads, xrefs: 00FFD1D1
-yr<eventname> waits on event <eventname> before starting the run (including warmup), xrefs: 00FFD389
Examples: -a0,1,2 and -ag0,0,1,2 are equivalent., xrefs: 00FFCFA2
-l Use large pages for IO buffers, xrefs: 00FFD10E
lasting 10 seconds:, xrefs: 00FFD4C8
-ag#,#[,#,...]> advanced CPU affinity - affinitize threads round-robin to the CPUs provided. The g# notation, xrefs: 00FFCF6E
-ag group affinity - affinitize threads round-robin to cores in Processor Groups 0 - n., xrefs: 00FFCF4A
-f<rst> open file with one or more additional access hints, xrefs: 00FFD065
[default inactive], xrefs: 00FFD0CD
Create two 1GB files, set block size to 4KB, create 2 threads per file, affinitize threads, xrefs: 00FFD4B2
-ep use paged memory for the NT Kernel Logger [default=non-paged memory], xrefs: 00FFD3E3
[default = q, query perf timer (qpc)], xrefs: 00FFD3D8
-R<text|xml> output format. Default is text., xrefs: 00FFD19D
(1=synchronous I/O, unless more than 1 thread is specified with -F), xrefs: 00FFD142
-s[i]<size>[K|M|G|b] sequential stride size, offset between subsequent I/O operations, xrefs: 00FFD1AA
[default=2], xrefs: 00FFD14F
-eDISK_IO physical disk IO, xrefs: 00FFD40F
-n disable default affinity (-a), xrefs: 00FFD128
Group 0 is filled before Group 1, and so forth., xrefs: 00FFCF55
(ignored if -r is specified, makes sense only with -o2 or greater), xrefs: 00FFD169
-r<align>[K|M|G|b] random I/O aligned to <align> in bytes/KiB/MiB/GiB/blocks (overrides -s), xrefs: 00FFD190
-Z zero buffers used for write tests, xrefs: 00FFD31B
-z[seed] set random seed [with no -z, seed=0; with plain -z, seed is based on system run time], xrefs: 00FFD2FC
-x use completion routines instead of I/O Completion Ports, xrefs: 00FFD2E2
-X<filepath> use an XML file for configuring the workload. Cannot be used with other parameters., xrefs: 00FFD2EF
absence of this switch indicates 100%% reads, xrefs: 00FFD2BB
-eMEMORY_HARD_FAULTS hard faults only, xrefs: 00FFD425
r : the FILE_FLAG_RANDOM_ACCESS hint, xrefs: 00FFD072
Examples:, xrefs: 00FFD454
-h deprecated, see -Sh, xrefs: 00FFD0DA
Synchronization:, xrefs: 00FFD355
-p start parallel sequential I/O operations with the same offset, xrefs: 00FFD15C
makes sense only with #threads > 1, xrefs: 00FFD294
Available targets:, xrefs: 00FFCF01
2016/5/01, xrefs: 00FFCEE5
IOPs time series in addition. [default=1000, 1 second]., xrefs: 00FFD031
access read test lasting 10 seconds:, xrefs: 00FFD499
-t<count> number of threads per target (conflicts with -F), xrefs: 00FFD26D
-ag0,0,1,2 -ag1,0,1,2 is equivalent., xrefs: 00FFCFBC
s : the FILE_FLAG_SEQUENTIAL_SCAN hint, xrefs: 00FFD07F
-Sb enable caching (default, explicitly stated), xrefs: 00FFD22C
-P<count> enable printing a progress dot after each <count> [default=65536], xrefs: 00FFD176
(offset from the beginning of the file), xrefs: 00FFCFE3
-b<size>[K|M|G] block size in bytes or KiB/MiB/GiB [default=64K], xrefs: 00FFCFC9
-S equivalent to -Su, xrefs: 00FFD21F
-Sr disable local caching, with remote sw caching enabled; only valid for remote filesystems, xrefs: 00FFD253
-Su disable software caching, equivalent to FILE_FLAG_NO_BUFFERING, xrefs: 00FFD246
Set block size to 4KB, create 2 threads per file, 32 overlapped (outstanding), xrefs: 00FFD483
version %s (%s), xrefs: 00FFCEEF
-D<milliseconds> Capture IOPs statistics in intervals of <milliseconds>; these are per-thread, xrefs: 00FFD017
Usage: %s [options] target1 [ target2 [ target3 ...] ], xrefs: 00FFCEDA
[default: none], xrefs: 00FFD099
Additional groups/processors may be added, comma separated, or on separate parameters., xrefs: 00FFCF95
-ePROCESS process start & end, xrefs: 00FFD3EE
t : the FILE_ATTRIBUTE_TEMPORARY hint, xrefs: 00FFD08C
(ignored if -r specified, -si conflicts with -T and -p), xrefs: 00FFD1F8
-j<milliseconds> interval in <milliseconds> between issuing IO bursts; see -i [default: inactive], xrefs: 00FFD0F4
-v verbose mode, xrefs: 00FFD2A1
-eMEMORY_PAGE_FAULTS all page faults, xrefs: 00FFD41A
-? display usage information, xrefs: 00FFCF3F
2.0.17a, xrefs: 00FFCEEA
[default; use -n to disable default affinity], xrefs: 00FFCF63
-f<size>[K|M|G|b] target size - use only the first <size> bytes or KiB/MiB/GiB/blocks of the file/disk/partition,, xrefs: 00FFD04B
I/O operations per thread, disable all caching mechanisms and run block-aligned random, xrefs: 00FFD48E
-d<seconds> duration (in seconds) to run test [default=10s], xrefs: 00FFD03E
-o<count> number of outstanding I/O requests per target per thread, xrefs: 00FFD135
file_path, xrefs: 00FFCF0C
-Z<size>[K|M|G|b] use a <size> buffer filled with random data as a source for write operations., xrefs: 00FFD326
Create 8192KB file and run read test on it for 1 second:, xrefs: 00FFD461
-ag0,0,1,2,g1,0,1,2 specifies the first three cores in groups 0 and 1., xrefs: 00FFCFAF
note that this can not be specified when using completion routines, xrefs: 00FFD0C0
-w<percentage> percentage of write requests (-w and -w0 are equivalent and result in a read-only workload)., xrefs: 00FFD2AE
%s -c1G -b4K -t2 -d10 -a0,1 testfile1.dat testfile2.dat, xrefs: 00FFD4D6
-e<q|c|s> Use query perf timer (qpc), cycle count, or system timer respectively., xrefs: 00FFD3CD
%s -c8192K -d1 testfile.dat, xrefs: 00FFD471
to CPUs 0 and 1 (each file will have threads affinitized to both CPUs) and run read test, xrefs: 00FFD4BD
completed I/O operations, counted separately by each thread , xrefs: 00FFD183
Available options:, xrefs: 00FFCF34
#<physical drive number>, xrefs: 00FFCF17
non-conflicting flags may be combined in any order; ex: -Sbw, -Suw, -Swu, xrefs: 00FFD212
-eREGISTRY registry calls, xrefs: 00FFD43B
-ys<eventname> signals event <eventname> before starting the actual run (no warmup), xrefs: 00FFD360
-ye<eventname> sets event <eventname> and quits, xrefs: 00FFD3B0
Size can be stated in bytes or KiB/MiB/GiB/blocks, xrefs: 00FFCFFD
-Z<size>[K|M|G|b],<file> use a <size> buffer filled with data from <file> as a source for write operations., xrefs: 00FFD331
[default access=non-interlocked sequential, default stride=block size], xrefs: 00FFD1B7
Write buffers:, xrefs: 00FFD310
-i<count> number of IOs per burst; see -j [default: inactive], xrefs: 00FFD0E7
-C<seconds> cool down time - duration of the test after measurements finished [default=0s]., xrefs: 00FFD00A
-eNETWORK TCP/IP, UDP/IP send & receive, xrefs: 00FFD430
-eTHREAD thread start & end, xrefs: 00FFD3F9
-yp<eventname> stops the run when event <eventname> is set; CTRL+C is bound to this event, xrefs: 00FFD39E

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: printf
String ID: -ag0,0,1,2 -ag1,0,1,2 is equivalent.$ -ag0,0,1,2,g1,0,1,2 specifies the first three cores in groups 0 and 1.$ (1=synchronous I/O, unless more than 1 thread is specified with -F)$ (ignored if -r is specified, makes sense only with -o2 or greater)$ (ignored if -r specified, -si conflicts with -T and -p)$ (offset from the beginning of the file)$ Additional groups/processors may be added, comma separated, or on separate parameters.$ Examples: -a0,1,2 and -ag0,0,1,2 are equivalent.$ Group 0 is filled before Group 1, and so forth.$ IMPORTANT: a write test will destroy existing data without a warning$ IOPs time series in addition. [default=1000, 1 second].$ In non-interlocked mode, threads do not coordinate, so the pattern of offsets$ Size can be stated in bytes or KiB/MiB/GiB/blocks$ [default = q, query perf timer (qpc)]$ [default access=non-interlocked sequential, default stride=block size]$ [default inactive]$ [default: none]$ [default; use -n to disable default affinity]$ [default=0] (starting offset = base file offset + (thread number * <offs>)$ [default=2]$ as seen by the target will not be truly sequential. Under -si the threads$ but promotes a more sequential pattern.$ completed I/O operations, counted separately by each thread $ for example to test only the first sectors of a disk$ makes sense only with #threads > 1$ manipulate a shared offset with InterlockedIncrement, which may reduce throughput,$ may be specified, and groups/cores may be repeated. If no group is specified, 0 is assumed.$ non-conflicting flags may be combined in any order; ex: -Sbw, -Suw, -Swu$ note that this can not be specified when using completion routines$ per-target: text output provides IOPs standard deviation, XML provides the full$ r : the FILE_FLAG_RANDOM_ACCESS hint$ s : the FILE_FLAG_SEQUENTIAL_SCAN hint$ specifies Processor Groups for the following CPU core #s. Multiple Processor Groups$ t : the FILE_ATTRIBUTE_TEMPORARY hint$ absence of this switch indicates 100%% reads$ (creates a notification event if <eventname> does not exist)$ #<physical drive number>$ <partition_drive_letter>:$ file_path$ %s -b4K -t2 -r -o32 -d10 -h testfile.dat$ %s -c1G -b4K -t2 -d10 -a0,1 testfile1.dat testfile2.dat$ %s -c8192K -d1 testfile.dat$ -? display usage information$ -B<offs>[K|M|G|b] base target offset in bytes or KiB/MiB/GiB/blocks [default=0]$ -C<seconds> cool down time - duration of the test after measurements finished [default=0s].$ -D<milliseconds> Capture IOPs statistics in intervals of <milliseconds>; these are per-thread$ -F<count> total number of threads (conflicts with -t)$ -I<priority> Set IO priority to <priority>. Available values are: 1-very low, 2-low, 3-normal (default)$ -L measure latency statistics$ -P<count> enable printing a progress dot after each <count> [default=65536]$ -R<text|xml> output format. Default is text.$ -S equivalent to -Su$ -S[bhruw] control caching behavior [default: caching is enabled, no writethrough]$ -Sb enable caching (default, explicitly stated)$ -Sh equivalent -Suw$ -Sr disable local caching, with remote sw caching enabled; only valid for remote filesystems$ -Su disable software caching, equivalent to FILE_FLAG_NO_BUFFERING$ -Sw enable writethrough (no hardware write caching), equivalent to FILE_FLAG_WRITE_THROUGH$ -T<offs>[K|M|G|b] starting stride between I/O operations performed on the same target by different threads$ -W<seconds> warm up time - duration of the test before measurements start [default=5s]$ -X<filepath> use an XML file for configuring the workload. Cannot be used with other parameters.$ -Z zero buffers used for write tests$ -Z<size>[K|M|G|b] use a <size> buffer filled with random data as a source for write operations.$ -Z<size>[K|M|G|b],<file> use a <size> buffer filled with data from <file> as a source for write operations.$ -ag group affinity - affinitize threads round-robin to cores in Processor Groups 0 - n.$ -ag#,#[,#,...]> advanced CPU affinity - affinitize threads round-robin to the CPUs provided. The g# notation$ -b<size>[K|M|G] block size in bytes or KiB/MiB/GiB [default=64K]$ -c<size>[K|M|G|b] create files of the given size.$ -d<seconds> duration (in seconds) to run test [default=10s]$ -e<q|c|s> Use query perf timer (qpc), cycle count, or system timer respectively.$ -eDISK_IO physical disk IO$ -eIMAGE_LOAD image load$ -eMEMORY_HARD_FAULTS hard faults only$ -eMEMORY_PAGE_FAULTS all page faults$ -eNETWORK TCP/IP, UDP/IP send & receive$ -ePROCESS process start & end$ -eREGISTRY registry calls$ -eTHREAD thread start & end$ -ep use paged memory for the NT Kernel Logger [default=non-paged memory]$ -f<rst> open file with one or more additional access hints$ -f<size>[K|M|G|b] target size - use only the first <size> bytes or KiB/MiB/GiB/blocks of the file/disk/partition,$ -g<bytes per ms> throughput per-thread per-target throttled to given bytes per millisecond$ -h deprecated, see -Sh$ -i<count> number of IOs per burst; see -j [default: inactive]$ -j<milliseconds> interval in <milliseconds> between issuing IO bursts; see -i [default: inactive]$ -l Use large pages for IO buffers$ -n disable default affinity (-a)$ -o<count> number of outstanding I/O requests per target per thread$ -p start parallel sequential I/O operations with the same offset$ -r<align>[K|M|G|b] random I/O aligned to <align> in bytes/KiB/MiB/GiB/blocks (overrides -s)$ -s[i]<size>[K|M|G|b] sequential stride size, offset between subsequent I/O operations$ -t<count> number of threads per target (conflicts with -F)$ -v verbose mode$ -w<percentage> percentage of write requests (-w and -w0 are equivalent and result in a read-only workload).$ -x use completion routines instead of I/O Completion Ports$ -ye<eventname> sets event <eventname> and quits$ -yf<eventname> signals event <eventname> after the actual run finishes (no cooldown)$ -yp<eventname> stops the run when event <eventname> is set; CTRL+C is bound to this event$ -yr<eventname> waits on event <eventname> before starting the run (including warmup)$ -ys<eventname> signals event <eventname> before starting the actual run (no warmup)$ -z[seed] set random seed [with no -z, seed=0; with plain -z, seed is based on system run time]$ By default, the write buffers are filled with a repeating pattern (0, 1, 2, ..., 255, 0, 1, ...)$2.0.17a$2016/5/01$Available options:$Available targets:$Create 8192KB file and run read test on it for 1 second:$Create two 1GB files, set block size to 4KB, create 2 threads per file, affinitize threads$Event Tracing:$Examples:$I/O operations per thread, disable all caching mechanisms and run block-aligned random$Set block size to 4KB, create 2 threads per file, 32 overlapped (outstanding)$Synchronization:$Usage: %s [options] target1 [ target2 [ target3 ...] ]$Write buffers:$access read test lasting 10 seconds:$lasting 10 seconds:$to CPUs 0 and 1 (each file will have threads affinitized to both CPUs) and run read test$version %s (%s)
API String ID: 3524737521-2699309960
Opcode ID: 64febc221ee36b205bedc4fc45176380169661d64b89b16d2cc15eed996c71d0
Instruction ID: dfe0bf0b8812cdfef6e1e3d5c949041644521a013f292e32fdd657a11aaafb05
Opcode Fuzzy Hash: 64febc221ee36b205bedc4fc45176380169661d64b89b16d2cc15eed996c71d0
Instruction Fuzzy Hash: EAD1C07D14468DDFC720BFD4A44D42DBEA4AF56702B258809EFC295269CB7E51C0AF23

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBB91 Relevance: 66.9, APIs: 18, Strings: 20, Instructions: 356COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00FFBBD3
fprintf.MSVCRT ref: 00FFBC09
fprintf.MSVCRT ref: 00FFBC6A
fprintf.MSVCRT ref: 00FFBCB8
fprintf.MSVCRT ref: 00FFBD0D
fprintf.MSVCRT ref: 00FFBD4A
fprintf.MSVCRT ref: 00FFBDA4
fprintf.MSVCRT ref: 00FFBDCB
fprintf.MSVCRT ref: 00FFBDFC
fprintf.MSVCRT ref: 00FFBE29
fprintf.MSVCRT ref: 00FFBE4A
fprintf.MSVCRT ref: 00FFBE85
fprintf.MSVCRT ref: 00FFBEA1
fprintf.MSVCRT ref: 00FFBEC9
fprintf.MSVCRT ref: 00FFBEEA
fprintf.MSVCRT ref: 00FFBF0C
fprintf.MSVCRT ref: 00FFBF3D
fprintf.MSVCRT ref: 00FFBF76

Part of subcall function 0100D7CD: __iob_func.MSVCRT ref: 0100D7D2

Strings

ERROR: affinity assignment to group %u core %u not possible; core is not active (current mask 0x%Ix), xrefs: 00FFBCFF
ERROR: -p conflicts with -r, xrefs: 00FFBE61
ERROR: -F and -t parameters cannot be used together, xrefs: 00FFBD96
WARNING: single-threaded test, -si ignored, xrefs: 00FFBEFE
ERROR: -si conflicts with -p, xrefs: 00FFBEDC
ERROR: no timespans specified, xrefs: 00FFBBFB
ERROR: -si conflicts with -r, xrefs: 00FFBE3C
WARNING: -p does not have effect unless outstanding I/O count (-o) is > 1, xrefs: 00FFBE77
WARNING: target access pattern will not be sequential, consider -si, xrefs: 00FFBF23
ERROR: -g throughput control cannot be used with -x completion routines, xrefs: 00FFBDBD
ERROR: -T has no effect unless multiple threads per target are used, xrefs: 00FFBF2F
ERROR: -n and -a parameters cannot be used together, xrefs: 00FFBD3C
ERROR: -T conflicts with -r, xrefs: 00FFBE1B
ERROR: affinity assignment to group %u core %u not possible; group only has %u cores, xrefs: 00FFBCAA
ERROR: need to specify -j<think time> with -i<burst size>, xrefs: 00FFBDEE
WARNING: Complete CPU utilization cannot currently be gathered within DISKSPD for this system. Use alternate mechanisms to gather this data such as perfmon/logman. Active KGroups %u > 1 and/or processor count %u > 64., xrefs: 00FFBBC5
ERROR: custom write buffer (-Z) is smaller than the block size. Write buffer size: %I64u block size: %u, xrefs: 00FFBF68
ERROR: affinity assignment to group %u; system only has %u groups, xrefs: 00FFBC5C
WARNING: -z is ignored if -r is not provided, xrefs: 00FFBE93
ERROR: -si conflicts with -T, xrefs: 00FFBEBB

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: fprintf$__iob_func
String ID: ERROR: -F and -t parameters cannot be used together$ERROR: -T conflicts with -r$ERROR: -T has no effect unless multiple threads per target are used$ERROR: -g throughput control cannot be used with -x completion routines$ERROR: -n and -a parameters cannot be used together$ERROR: -p conflicts with -r$ERROR: -si conflicts with -T$ERROR: -si conflicts with -p$ERROR: -si conflicts with -r$ERROR: affinity assignment to group %u core %u not possible; core is not active (current mask 0x%Ix)$ERROR: affinity assignment to group %u core %u not possible; group only has %u cores$ERROR: affinity assignment to group %u; system only has %u groups$ERROR: custom write buffer (-Z) is smaller than the block size. Write buffer size: %I64u block size: %u$ERROR: need to specify -j<think time> with -i<burst size>$ERROR: no timespans specified$WARNING: -p does not have effect unless outstanding I/O count (-o) is > 1$WARNING: -z is ignored if -r is not provided$WARNING: Complete CPU utilization cannot currently be gathered within DISKSPD for this system. Use alternate mechanisms to gather this data such as perfmon/logman. Active KGroups %u > 1 and/or processor count %u > 64.$WARNING: single-threaded test, -si ignored$WARNING: target access pattern will not be sequential, consider -si
API String ID: 2177900033-102208394
Opcode ID: 47ad644b2e6a589ccff1014b6bcb295098847f66bf8603c927d2468608cf02cb
Instruction ID: 3c87cb34dc41b8a888743a5d2b1074488cb5a8f77b9f1e1ed121dd9883be1fe5
Opcode Fuzzy Hash: 47ad644b2e6a589ccff1014b6bcb295098847f66bf8603c927d2468608cf02cb
Instruction Fuzzy Hash: 93C12971908385AEF7349BA4D84EB7BBBD4AF50720F14480EF2C4961D1D7B9E840DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB845 Relevance: 66.8, APIs: 1, Strings: 37, Instructions: 281COMMON

Download Yara Rule

APIs

sprintf_s.MSVCRT ref: 00FFB8BC

Part of subcall function 00FFB41D: sprintf_s.MSVCRT ref: 00FFB51C
Part of subcall function 00FFB41D: sprintf_s.MSVCRT ref: 00FFB550

Part of subcall function 00FFA1B9: memcpy.MSVCRT ref: 00FFA1DB
Part of subcall function 00FFA1B9: ??3@YAXPAX@Z.MSVCRT ref: 00FFA1E4

Strings

<Verbose>false</Verbose>, xrefs: 00FFB917
<UsePerfTimer>true</UsePerfTimer>, xrefs: 00FFBA8F, 00FFBA9B, 00FFBAA3
<ResultFormat>text</ResultFormat>, xrefs: 00FFB8E6
<Verbose>true</Verbose>, xrefs: 00FFB910, 00FFB91C, 00FFB924
<Process>true</Process>, xrefs: 00FFB96F, 00FFB97B, 00FFB983
<Registry>false</Registry>, xrefs: 00FFBA56
<UseSystemTimer>true</UseSystemTimer>, xrefs: 00FFBAAF, 00FFBABB, 00FFBAC3
<MemoryHardFaults>true</MemoryHardFaults>, xrefs: 00FFBA0F, 00FFBA1B, 00FFBA23
<Process>false</Process>, xrefs: 00FFB976
<ImageLoad>true</ImageLoad>, xrefs: 00FFB9AF, 00FFB9BB, 00FFB9C3
<PrecreateFiles>CreateOnlyFilesWithConstantSizes</PrecreateFiles>, xrefs: 00FFB93F
<ResultFormat>xml</ResultFormat>, xrefs: 00FFB8F0, 00FFB8FC, 00FFB904
<Profile>, xrefs: 00FFB88B
<TimeSpans>, xrefs: 00FFBAEB, 00FFBAF0, 00FFBAF8
<Progress>%u</Progress>, xrefs: 00FFB8AA
</TimeSpans>, xrefs: 00FFBB42, 00FFBB47, 00FFBB4F
<Network>true</Network>, xrefs: 00FFBA2F, 00FFBA3B, 00FFBA43
<MemoryHardFaults>false</MemoryHardFaults>, xrefs: 00FFBA16
<PrecreateFiles>UseMaxSize</PrecreateFiles>, xrefs: 00FFB932
<ResultFormat>* UNSUPPORTED *</ResultFormat>, xrefs: 00FFB8F7
</Profile>, xrefs: 00FFBB57, 00FFBB5C, 00FFBB64
<MemoryPageFaults>true</MemoryPageFaults>, xrefs: 00FFB9EF, 00FFB9FB, 00FFBA03
<UsePerfTimer>false</UsePerfTimer>, xrefs: 00FFBA96
<MemoryPageFaults>false</MemoryPageFaults>, xrefs: 00FFB9F6
<Thread>false</Thread>, xrefs: 00FFB996
<Thread>true</Thread>, xrefs: 00FFB98F, 00FFB99B, 00FFB9A3
<UsePagedMemory>true</UsePagedMemory>, xrefs: 00FFBA6F, 00FFBA7B, 00FFBA83
<DiskIO>true</DiskIO>, xrefs: 00FFB9CF, 00FFB9DB, 00FFB9E3
<ImageLoad>false</ImageLoad>, xrefs: 00FFB9B6
<UsePagedMemory>false</UsePagedMemory>, xrefs: 00FFBA76
<Registry>true</Registry>, xrefs: 00FFBA4F, 00FFBA5B, 00FFBA63
<UseCyclesCounter>false</UseCyclesCounter>, xrefs: 00FFBAD6
<UseCyclesCounter>true</UseCyclesCounter>, xrefs: 00FFBACF, 00FFBADB, 00FFBAE3
<UseSystemTimer>false</UseSystemTimer>, xrefs: 00FFBAB6
<DiskIO>false</DiskIO>, xrefs: 00FFB9D6
<Network>false</Network>, xrefs: 00FFBA36
<PrecreateFiles>CreateOnlyFilesWithConstantOrZeroSizes</PrecreateFiles>, xrefs: 00FFB94C, 00FFB951, 00FFB959

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: sprintf_s$??3@memcpy
String ID: </Profile>$</TimeSpans>$<DiskIO>false</DiskIO>$<DiskIO>true</DiskIO>$<ImageLoad>false</ImageLoad>$<ImageLoad>true</ImageLoad>$<MemoryHardFaults>false</MemoryHardFaults>$<MemoryHardFaults>true</MemoryHardFaults>$<MemoryPageFaults>false</MemoryPageFaults>$<MemoryPageFaults>true</MemoryPageFaults>$<Network>false</Network>$<Network>true</Network>$<PrecreateFiles>CreateOnlyFilesWithConstantOrZeroSizes</PrecreateFiles>$<PrecreateFiles>CreateOnlyFilesWithConstantSizes</PrecreateFiles>$<PrecreateFiles>UseMaxSize</PrecreateFiles>$<Process>false</Process>$<Process>true</Process>$<Profile>$<Progress>%u</Progress>$<Registry>false</Registry>$<Registry>true</Registry>$<ResultFormat>* UNSUPPORTED *</ResultFormat>$<ResultFormat>text</ResultFormat>$<ResultFormat>xml</ResultFormat>$<Thread>false</Thread>$<Thread>true</Thread>$<TimeSpans>$<UseCyclesCounter>false</UseCyclesCounter>$<UseCyclesCounter>true</UseCyclesCounter>$<UsePagedMemory>false</UsePagedMemory>$<UsePagedMemory>true</UsePagedMemory>$<UsePerfTimer>false</UsePerfTimer>$<UsePerfTimer>true</UsePerfTimer>$<UseSystemTimer>false</UseSystemTimer>$<UseSystemTimer>true</UseSystemTimer>$<Verbose>false</Verbose>$<Verbose>true</Verbose>
API String ID: 615691289-2790193338
Opcode ID: 1467243dc7786fd06ee934ce693a4562f0bb8cca40dca4df5850ca294ce18f17
Instruction ID: 3dfe5dec5e707e73cc14d94aa98ffcd7a285e63ec4b064daac120bef0d63635c
Opcode Fuzzy Hash: 1467243dc7786fd06ee934ce693a4562f0bb8cca40dca4df5850ca294ce18f17
Instruction Fuzzy Hash: C781D461D0557D2ADB64AA208C45BBE7698AF05330F08107AFB05673B3CFECAD4467D1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB41D Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 269COMMON

Download Yara Rule

APIs

sprintf_s.MSVCRT ref: 00FFB51C
sprintf_s.MSVCRT ref: 00FFB550
sprintf_s.MSVCRT ref: 00FFB584
sprintf_s.MSVCRT ref: 00FFB5B8
sprintf_s.MSVCRT ref: 00FFB5EC
sprintf_s.MSVCRT ref: 00FFB620
sprintf_s.MSVCRT ref: 00FFB688

Strings

<Warmup>%u</Warmup>, xrefs: 00FFB549
<AffinityGroupAssignment Group="%u" Processor="%u"/>, xrefs: 00FFB677
<Cooldown>%u</Cooldown>, xrefs: 00FFB57D
<Affinity>, xrefs: 00FFB651, 00FFB656, 00FFB65E
</TimeSpan>, xrefs: 00FFB743, 00FFB748, 00FFB750
<DisableAffinity>false</DisableAffinity>, xrefs: 00FFB4F2
</Targets>, xrefs: 00FFB72E, 00FFB733, 00FFB73B
<TimeSpan>, xrefs: 00FFB469
<DisableAffinity>true</DisableAffinity>, xrefs: 00FFB4EB, 00FFB4F7, 00FFB4FF
<MeasureLatency>false</MeasureLatency>, xrefs: 00FFB4B2
<Targets>, xrefs: 00FFB6CE, 00FFB6D3, 00FFB6DB
<ThreadCount>%u</ThreadCount>, xrefs: 00FFB5B1
<Duration>%u</Duration>, xrefs: 00FFB515
<CompletionRoutines>true</CompletionRoutines>, xrefs: 00FFB47D, 00FFB497, 00FFB49F
<RandSeed>%u</RandSeed>, xrefs: 00FFB619
<CalculateIopsStdDev>true</CalculateIopsStdDev>, xrefs: 00FFB4CB, 00FFB4D7, 00FFB4DF
<MeasureLatency>true</MeasureLatency>, xrefs: 00FFB4AB, 00FFB4B7, 00FFB4BF
<IoBucketDuration>%u</IoBucketDuration>, xrefs: 00FFB5E5
<CompletionRoutines>false</CompletionRoutines>, xrefs: 00FFB492
<CalculateIopsStdDev>false</CalculateIopsStdDev>, xrefs: 00FFB4D2
</Affinity>, xrefs: 00FFB6B3, 00FFB6B8, 00FFB6C0

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: sprintf_s
String ID: </Affinity>$</Targets>$</TimeSpan>$<Affinity>$<AffinityGroupAssignment Group="%u" Processor="%u"/>$<CalculateIopsStdDev>false</CalculateIopsStdDev>$<CalculateIopsStdDev>true</CalculateIopsStdDev>$<CompletionRoutines>false</CompletionRoutines>$<CompletionRoutines>true</CompletionRoutines>$<Cooldown>%u</Cooldown>$<DisableAffinity>false</DisableAffinity>$<DisableAffinity>true</DisableAffinity>$<Duration>%u</Duration>$<IoBucketDuration>%u</IoBucketDuration>$<MeasureLatency>false</MeasureLatency>$<MeasureLatency>true</MeasureLatency>$<RandSeed>%u</RandSeed>$<Targets>$<ThreadCount>%u</ThreadCount>$<TimeSpan>$<Warmup>%u</Warmup>
API String ID: 2907819478-3937871512
Opcode ID: bcc72b97db4b921a003407d839c859495b99f4e947aab799cdfb2c7809a48ab9
Instruction ID: 3421536652f1d72fb99d7bcfcf04bde55f1a3df751f27ad10fea1debf75cb32a
Opcode Fuzzy Hash: bcc72b97db4b921a003407d839c859495b99f4e947aab799cdfb2c7809a48ab9
Instruction Fuzzy Hash: 5D918672D0015C7BDB20EA608C45FFA72BCEF44350F1805ADF69593262DABCED84AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFFFD Relevance: 45.9, APIs: 1, Strings: 25, Instructions: 367COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01000004

Part of subcall function 0100086D: __EH_prolog3_GS.LIBCMT ref: 01000877
Part of subcall function 0100086D: memset.MSVCRT ref: 0100090E
Part of subcall function 0100086D: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000103,00000000,00000000), ref: 01000949
Part of subcall function 0100086D: SysFreeString.OLEAUT32(?), ref: 0100097D
Part of subcall function 0100086D: VariantClear.OLEAUT32(?), ref: 0100098A

Part of subcall function 010006E9: __EH_prolog3_GS.LIBCMT ref: 010006F0
Part of subcall function 010006E9: _wtoi.MSVCRT ref: 0100075A
Part of subcall function 010006E9: SysFreeString.OLEAUT32(?), ref: 01000769
Part of subcall function 010006E9: VariantClear.OLEAUT32(?), ref: 01000773

Strings

BaseFileOffset, xrefs: 010000EC
MaxFileSize, xrefs: 01000391
RandomAccess, xrefs: 0100013D
DisableAllCache, xrefs: 01000231
BlockSize, xrefs: 01000076
DisableLocalCache, xrefs: 0100025E
SequentialScan, xrefs: 01000116
Path, xrefs: 01000025
Throughput, xrefs: 01000318
StrideSize, xrefs: 0100009A
WriteRatio, xrefs: 010003BB
ThreadsPerFile, xrefs: 0100033F
IOPriority, xrefs: 01000425
ThinkTime, xrefs: 010002ED
DisableOSCache, xrefs: 01000206
WriteThrough, xrefs: 01000289
TemporaryFile, xrefs: 01000164
InterlockedSequential, xrefs: 010000C8
ParallelAsyncIO, xrefs: 010003DF
ThreadStride, xrefs: 010003FF
BurstSize, xrefs: 010002C5
UseLargePages, xrefs: 0100018B
FileSize, xrefs: 01000363
Random, xrefs: 010001D6
RequestCount, xrefs: 010001B2

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: H_prolog3_$ClearFreeStringVariant$ByteCharMultiWide_wtoimemset
String ID: BaseFileOffset$BlockSize$BurstSize$DisableAllCache$DisableLocalCache$DisableOSCache$FileSize$IOPriority$InterlockedSequential$MaxFileSize$ParallelAsyncIO$Path$Random$RandomAccess$RequestCount$SequentialScan$StrideSize$TemporaryFile$ThinkTime$ThreadStride$ThreadsPerFile$Throughput$UseLargePages$WriteRatio$WriteThrough
API String ID: 283221528-1607452813
Opcode ID: a67cf0bd7dee154df7d7c4810f830aadf5e898f19f7ee27f77aca28f3f01f76c
Instruction ID: ad2943030beac20bf1371530c35ca82f3f5fcbe3d8f1f869e1ded9a3640e8ee2
Opcode Fuzzy Hash: a67cf0bd7dee154df7d7c4810f830aadf5e898f19f7ee27f77aca28f3f01f76c
Instruction Fuzzy Hash: E9D1A671D0161AAFEB13DB68C880BEDBBA86F05780F054251FE90A7395DB71E854C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 01001B60 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 181COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01001C76

Strings

write, xrefs: 01001D78
t[%u:%u] new I/O op at %I64u (starting in block: %I64u), xrefs: 01001C90
read, xrefs: 01001D71, 01001D84
t[%u:%u] error during %s error code: %u), xrefs: 01001D8C
Thread %u failed executing an I/O operation (error code: %u), xrefs: 01001B8D
Warning: thread %u transferred %u bytes instead of %u bytes, xrefs: 01001BDF

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Thread %u failed executing an I/O operation (error code: %u)$Warning: thread %u transferred %u bytes instead of %u bytes$read$t[%u:%u] error during %s error code: %u)$t[%u:%u] new I/O op at %I64u (starting in block: %I64u)$write
API String ID: 885266447-1044934336
Opcode ID: 044815e49733b7fd481685d2fbb3378be2d6d01a2601e6cf1f97335c34c25b3e
Instruction ID: 410775a7e77ef3414766c7cf227ffd597c018a13005bc949d8318300feb0c068
Opcode Fuzzy Hash: 044815e49733b7fd481685d2fbb3378be2d6d01a2601e6cf1f97335c34c25b3e
Instruction Fuzzy Hash: C9718E75504201DFDB15DF58C884E6ABBE6FF88314F0944A9F9889B2A6C731EC45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01001085 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 010010AB
GetLastError.KERNEL32 ref: 010010B8
DeviceIoControl.KERNEL32(?,00070000,00000000,00000000,00000001,00000018,?,?), ref: 010010ED
GetLastError.KERNEL32 ref: 010010F9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100110B
GetLastError.KERNEL32 ref: 01001115
CloseHandle.KERNEL32(?), ref: 01001138

Strings

ERROR: Could not obtain drive geometry (error code: %u), xrefs: 01001129
ERROR: Failed while waiting for event to be signaled (error code: %u), xrefs: 0100111C
ERROR: Failed to create event (error code: %u), xrefs: 010010BF

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceEventHandleObjectSingleWait
String ID: ERROR: Could not obtain drive geometry (error code: %u)$ERROR: Failed to create event (error code: %u)$ERROR: Failed while waiting for event to be signaled (error code: %u)
API String ID: 3935222316-3021154126
Opcode ID: 8cc0b58b26fe248a54b5e835ff3b1523cea83d840642cee5d193de4e2e218fad
Instruction ID: e50a581713bd14451d4cb853c4730f909f20186601a42acd24578704b9afc6fb
Opcode Fuzzy Hash: 8cc0b58b26fe248a54b5e835ff3b1523cea83d840642cee5d193de4e2e218fad
Instruction Fuzzy Hash: E2219632900155BFAB279BA5DC09DFFBBBEEB88710F100159F541E2190DA798900C761

Uniqueness

Uniqueness Score: -1.00%

Function 01005E88 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 01005EB7
??3@YAXPAX@Z.MSVCRT ref: 01005ECF
std::tr1::_Xmem.LIBCPMT ref: 01005EEF
??3@YAXPAX@Z.MSVCRT ref: 01005F4B

Part of subcall function 0100CA2B: malloc.MSVCRT ref: 0100CA42

std::tr1::_Xmem.LIBCPMT ref: 01005F70
??3@YAXPAX@Z.MSVCRT ref: 01005FC2

Strings

`f-, xrefs: 01005E91, 01005EA1, 01005F02
`f-, xrefs: 01005F03, 01005F82, 01005E8E, 01005E90, 01005F86, 01005F87
`f-, xrefs: 01005E8F

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ??3@$Xmemstd::tr1::_$mallocmemmove
String ID: `f-$`f-$`f-
API String ID: 4037358618-2493346481
Opcode ID: 1ff2968ad702bd7749990753d4d83b2f314a7b70f0824bfe3e0873aa4d3c51f1
Instruction ID: afe237359c7167eaf88ce14f1d88156f1bf710ef265354a03886f6cffab36268
Opcode Fuzzy Hash: 1ff2968ad702bd7749990753d4d83b2f314a7b70f0824bfe3e0873aa4d3c51f1
Instruction Fuzzy Hash: 3F41D672500115EFEB25DF6CDD8495AFBEDEF89710F24419AE984CB284DA71DD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100057C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01000583

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

VariantClear.OLEAUT32(?), ref: 010006CC

Part of subcall function 01000790: __EH_prolog3_GS.LIBCMT ref: 01000797
Part of subcall function 01000790: _wtoi.MSVCRT ref: 0100081D
Part of subcall function 01000790: SysFreeString.OLEAUT32(?), ref: 0100082C
Part of subcall function 01000790: SysFreeString.OLEAUT32(?), ref: 0100083D

fprintf.MSVCRT ref: 0100066A
fprintf.MSVCRT ref: 01000692

Part of subcall function 0100D7CD: __iob_func.MSVCRT ref: 0100D7D2

Strings

ERROR: profile specifies group assignment to core %u, out of range, xrefs: 0100065C
Affinity/AffinityGroupAssignment, xrefs: 01000592
Processor, xrefs: 01000643
ERROR: profile specifies group assignment group %u, out of range, xrefs: 01000684
Group, xrefs: 01000629

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: H_prolog3_String$ClearFreeVariantfprintf$AllocByteCharMultiWide__iob_func_wtoifree
String ID: Affinity/AffinityGroupAssignment$ERROR: profile specifies group assignment group %u, out of range$ERROR: profile specifies group assignment to core %u, out of range$Group$Processor
API String ID: 1108869389-696485494
Opcode ID: f4f1fe92238df9ec7f49283ecfc5f6f750721b6b66f0fed94a88e1211adc215f
Instruction ID: 6c829886b2f4170b65e949f909177c9943d07266d6fac051bed821456af68013
Opcode Fuzzy Hash: f4f1fe92238df9ec7f49283ecfc5f6f750721b6b66f0fed94a88e1211adc215f
Instruction Fuzzy Hash: 8E41A175D0121A9FEF12DFA4C845AEEBB71AF48710F100028EA41B7290CB79AD45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01001DA7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

ReadFileEx.KERNEL32(00000010,00000000,00000004,?,01001B60,000000B8,00000000,?), ref: 01001E66
WriteFileEx.KERNEL32(00000010,00000000,?,00000000,00000004,?,01001B60,000000B8,00000000,?), ref: 01001E92
GetLastError.KERNEL32 ref: 01001EEE
WaitForSingleObjectEx.KERNEL32(?,000000FF,00000001,000000B8,00000000,?), ref: 01001F20

Strings

Error in thread %u during WaitForSingleObjectEx (in completion routines), xrefs: 01001F42
write, xrefs: 01001EE9, 01001EF5
read, xrefs: 01001EDF
t[%u:%u] error during %s error code: %u), xrefs: 01001EFF

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: File$ErrorLastObjectReadSingleWaitWrite
String ID: Error in thread %u during WaitForSingleObjectEx (in completion routines)$read$t[%u:%u] error during %s error code: %u)$write
API String ID: 781436170-3983133461
Opcode ID: 3555881b8eb798c799fc273c4904a15fa6fa495bd8208f0e8219a637e144555a
Instruction ID: ca4b1a96468e4e6e228cc6001a89d87bb2db256ccf83fc699e05b02670e16fc3
Opcode Fuzzy Hash: 3555881b8eb798c799fc273c4904a15fa6fa495bd8208f0e8219a637e144555a
Instruction Fuzzy Hash: D5519D75D0021AEFDB16CF98C840AAEFBB1FF08310F1581A9E995A3291C735ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFE7D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00FFFE84

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

VariantClear.OLEAUT32(?), ref: 00FFFFE0

Part of subcall function 0100086D: __EH_prolog3_GS.LIBCMT ref: 01000877
Part of subcall function 0100086D: memset.MSVCRT ref: 0100090E
Part of subcall function 0100086D: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000103,00000000,00000000), ref: 01000949
Part of subcall function 0100086D: SysFreeString.OLEAUT32(?), ref: 0100097D
Part of subcall function 0100086D: VariantClear.OLEAUT32(?), ref: 0100098A

Part of subcall function 00FFC383: memcmp.MSVCRT ref: 00FFC3AF

Strings

WriteBufferContent, xrefs: 00FFFE9C
random, xrefs: 00FFFF98, 00FFFF9D, 00FFFFA5, 00FFFFA9
zero, xrefs: 00FFFF74, 00FFFF79, 00FFFF81, 00FFFF85
sequential, xrefs: 00FFFF56, 00FFFF5B, 00FFFF63, 00FFFF67
Pattern, xrefs: 00FFFF3E

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_Variant$ByteCharMultiStringWide$AllocFreefreememcmpmemset
String ID: Pattern$WriteBufferContent$random$sequential$zero
API String ID: 1455204710-842192564
Opcode ID: d0f56622e4a1d5e49cccf67f15a5964852a059abfaa4518ce4cf586cbe829c3b
Instruction ID: 32998654940a21f91d415d7c4f31ca2c96b438a6d50ea92d55e6e73ff75447d9
Opcode Fuzzy Hash: d0f56622e4a1d5e49cccf67f15a5964852a059abfaa4518ce4cf586cbe829c3b
Instruction Fuzzy Hash: 4A418232C0012DAFDB11EBA0DC44BFEBB74AF05320F150124EA01B72A1DB756D49EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9D90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00FF9DA0
SetEvent.KERNEL32 ref: 00FF9DAD
GetLastError.KERNEL32 ref: 00FF9DB7

Part of subcall function 0100D7CD: __iob_func.MSVCRT ref: 0100D7D2

fprintf.MSVCRT ref: 00FF9DCC
SetConsoleCtrlHandler.KERNEL32(00FF9D90,00000000), ref: 00FF9DDC

Strings

Warning: Setting abort event failed (error code: %u), xrefs: 00FF9DBE
*** Interrupted by Ctrl-C. Stopping I/O Request Generator. ***, xrefs: 00FF9D9B

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ConsoleCtrlErrorEventHandlerLast__iob_funcfprintfprintf
String ID: *** Interrupted by Ctrl-C. Stopping I/O Request Generator. ***$Warning: Setting abort event failed (error code: %u)
API String ID: 2832824574-2030963000
Opcode ID: a5a1176b767b7ed47aba3af1be737b251178f94abfe7b8e510af8fd7ed810815
Instruction ID: 0cf76262b0eae8e5195ca6b4754446a9f1b9a4deaed5f8ca4fbcb7399db3e323
Opcode Fuzzy Hash: a5a1176b767b7ed47aba3af1be737b251178f94abfe7b8e510af8fd7ed810815
Instruction Fuzzy Hash: C0F03035544248AFE3206BB1BC0EB3A3A59EF14721F704424B785910A6EAFA94509722

Uniqueness

Uniqueness Score: -1.00%

Function 01008DF8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 0100834C: memset.MSVCRT ref: 01008379
Part of subcall function 0100834C: vsprintf_s.MSVCRT ref: 0100838D

sprintf_s.MSVCRT ref: 01008F18
sprintf_s.MSVCRT ref: 01008FED

Strings

%4u| %6.2lf%%| %6.2lf%%| %6.2lf%%| %6.2lf%%, xrefs: 01008F0D
CPU | Usage | User | Kernel | Idle, xrefs: 01008E41
avg.| %6.2lf%%| %6.2lf%%| %6.2lf%%| %6.2lf%%, xrefs: 01008FE2
-------------------------------------------, xrefs: 01008E50, 01008F90

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: sprintf_s$memsetvsprintf_s
String ID: CPU | Usage | User | Kernel | Idle$%4u| %6.2lf%%| %6.2lf%%| %6.2lf%%| %6.2lf%%$-------------------------------------------$avg.| %6.2lf%%| %6.2lf%%| %6.2lf%%| %6.2lf%%
API String ID: 1157834829-6584663
Opcode ID: e1fc9b5d5233081b05f7c90ea60f725faa359e8aa0ebeab387393ad922bedc58
Instruction ID: 05b5c9bb6795ef9c90adbb490e6e0d4da56abd8cb7c1c7de8f660567ca0711d7
Opcode Fuzzy Hash: e1fc9b5d5233081b05f7c90ea60f725faa359e8aa0ebeab387393ad922bedc58
Instruction Fuzzy Hash: 37517D71A08B45A7D3067F24D448AAAFBF8FF84380F61488DF1C4511A9EF7299749B87

Uniqueness

Uniqueness Score: -1.00%

Function 01001250 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?), ref: 01001273
GetLastError.KERNEL32 ref: 01001280
DeviceIoControl.KERNEL32(00000000,000902B8,00000000,00000000,00000000,00000000,00000000,?), ref: 01001297
GetLastError.KERNEL32 ref: 010012A1
GetOverlappedResult.KERNEL32(00000000,?,00000000,00000001), ref: 010012BC
GetLastError.KERNEL32 ref: 010012C6
CloseHandle.KERNEL32(00000000), ref: 010012DC

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceEventHandleOverlappedResult
String ID:
API String ID: 2847295715-0
Opcode ID: b9ba80475d4c10c7a98ad57ce887849f03f4695ea47eab72565018b2a81c840f
Instruction ID: 98f65441c16f26f530bdc3ba51fdd42d82e556a601f2e9d4f9a45d6d7abfdcde
Opcode Fuzzy Hash: b9ba80475d4c10c7a98ad57ce887849f03f4695ea47eab72565018b2a81c840f
Instruction Fuzzy Hash: 431151B5900219BFE7229AA9DC49AEFBABEFB04351F100161FA45E2181D6758940C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF15E Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00FFF165
VariantClear.OLEAUT32 ref: 00FFF17A
malloc.MSVCRT ref: 00FFF1E8
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
SysAllocString.OLEAUT32(00000000), ref: 00FFF228
free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: AllocByteCharClearH_prolog3_MultiStringVariantWidefreemalloc
String ID:
API String ID: 1623262104-0
Opcode ID: d12a4b1b943dc62170075d050a7c2b60d54d1b331ab0f57c8b46de0242a2eee7
Instruction ID: 0513c6be6c080a26e0c089cf7f49b1577726787ebd78adbc58e18f2f93573661
Opcode Fuzzy Hash: d12a4b1b943dc62170075d050a7c2b60d54d1b331ab0f57c8b46de0242a2eee7
Instruction Fuzzy Hash: 6E31F63590020ADBDF24CF64DC846BD77B5EF85320F244229EA05DB2A1DA798D09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFCC0B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00FFCC68
toupper.MSVCRT ref: 00FFCCA4
fprintf.MSVCRT ref: 00FFCCCF
__aulldiv.LIBCMT ref: 00FFCD11

Strings

Invalid size specifier '%c'. Valid ones are: K - KB, M - MB, G - GB, B - block, xrefs: 00FFCCC1

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: __aulldiv$fprintftoupper
String ID: Invalid size specifier '%c'. Valid ones are: K - KB, M - MB, G - GB, B - block
API String ID: 2363179844-1600532622
Opcode ID: 4262dbc882d0d1891b5c670ebde6f48c7443195a863d8563b5587c2f6e0baac4
Instruction ID: d90f0f76d802e14f600873d01d2328d7493816ee729c3373bcd193d12b271e64
Opcode Fuzzy Hash: 4262dbc882d0d1891b5c670ebde6f48c7443195a863d8563b5587c2f6e0baac4
Instruction Fuzzy Hash: C2415A7294426D9BC720CE1885447BF7FD4EFC2770F15462AFAB99B2A4D2308C01A7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFD31 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00FFFD38

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

VariantClear.OLEAUT32(?), ref: 00FFFE60

Part of subcall function 010009AA: __EH_prolog3_GS.LIBCMT ref: 010009B1
Part of subcall function 010009AA: _wtoi64.MSVCRT ref: 01000A1B
Part of subcall function 010009AA: SysFreeString.OLEAUT32(?), ref: 01000A2D
Part of subcall function 010009AA: VariantClear.OLEAUT32(?), ref: 01000A37

Part of subcall function 0100086D: __EH_prolog3_GS.LIBCMT ref: 01000877
Part of subcall function 0100086D: memset.MSVCRT ref: 0100090E
Part of subcall function 0100086D: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000103,00000000,00000000), ref: 01000949
Part of subcall function 0100086D: SysFreeString.OLEAUT32(?), ref: 0100097D
Part of subcall function 0100086D: VariantClear.OLEAUT32(?), ref: 0100098A

Strings

RandomDataSource, xrefs: 00FFFD50
FilePath, xrefs: 00FFFE1D
SizeInBytes, xrefs: 00FFFDDD

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_Variant$String$ByteCharFreeMultiWide$Alloc_wtoi64freememset
String ID: FilePath$RandomDataSource$SizeInBytes
API String ID: 315616386-221587684
Opcode ID: 9c14ad59bdac5f18cf7e193593c50d02c07a14582396417d2de7ac6c9a47ec8d
Instruction ID: 7ebeff7b2c6a0e733372500e8712b282c9a3a1475ad7a86dc89892a4a9f17d0e
Opcode Fuzzy Hash: 9c14ad59bdac5f18cf7e193593c50d02c07a14582396417d2de7ac6c9a47ec8d
Instruction Fuzzy Hash: 4D419331D0022D9FDB11EBA4C854BEDB7B4AF08B10F154128EA55B72A1DB74AD09DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01000475 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0100047C

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

_wtoi.MSVCRT ref: 0100052F
SysFreeString.OLEAUT32(?), ref: 01000543
VariantClear.OLEAUT32(?), ref: 0100055F

Strings

Affinity/AffinityAssignment, xrefs: 0100048B

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_StringVariant$AllocByteCharFreeMultiWide_wtoifree
String ID: Affinity/AffinityAssignment
API String ID: 1474463088-139104479
Opcode ID: 78c291fdcc366a3a1d0be9f78a616fd45e6184dc6cd9d627d434e214dc22409e
Instruction ID: 8f35e7f36c875f6c642f877003ad76636dc86ff027c721b7eab27383581855de
Opcode Fuzzy Hash: 78c291fdcc366a3a1d0be9f78a616fd45e6184dc6cd9d627d434e214dc22409e
Instruction Fuzzy Hash: 5D319E35D0062ADFDF11DFA8C8549AEBBB4BF48310F110058FA46B7290DB39AD05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01000A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01000A8B

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

_wcsicmp.MSVCRT ref: 01000AFA
SysFreeString.OLEAUT32(?), ref: 01000B10
VariantClear.OLEAUT32(?), ref: 01000B1A

Strings

true, xrefs: 01000AF5

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_StringVariant$AllocByteCharFreeMultiWide_wcsicmpfree
String ID: true
API String ID: 1156377413-4261170317
Opcode ID: b91aa60b9676449f440d52e57cb28e089ef179bec05528b4a549f32ddc35634e
Instruction ID: 3a8387ecb107e5a1a884a5237ca7523cd03b0f60b2ed44fc1bf0811bda76ec55
Opcode Fuzzy Hash: b91aa60b9676449f440d52e57cb28e089ef179bec05528b4a549f32ddc35634e
Instruction Fuzzy Hash: 45119031D0061ADFDF16DFA8C814AEE7BB5EF18714F114044FA51A7291DB3AAD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100566F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

std::tr1::_Xmem.LIBCPMT ref: 0100569D

Part of subcall function 0100CA2B: malloc.MSVCRT ref: 0100CA42

Strings

`f-, xrefs: 0100573B
`f-, xrefs: 0100573A, 0100573E
`f-, xrefs: 01005674, 0100568A
`f-, xrefs: 0100574F

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: Xmemmallocstd::tr1::_
String ID: `f-$`f-$`f-$`f-
API String ID: 257571584-4052585162
Opcode ID: 7c7114010afcbfbf860dba97b4141d18af6df5acf57101dcefbe54b6bb4924d2
Instruction ID: 81e860ffbb734a3cc77074ff34108e1735f48b612f5692c9e96ff242b0901a12
Opcode Fuzzy Hash: 7c7114010afcbfbf860dba97b4141d18af6df5acf57101dcefbe54b6bb4924d2
Instruction Fuzzy Hash: BDD05E7130830F07BB5E656DBD255AE7BCCCBA9720F14047A659ACB5C0ED30D8404829

Uniqueness

Uniqueness Score: -1.00%

Function 0100086D Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01000877

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

memset.MSVCRT ref: 0100090E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000103,00000000,00000000), ref: 01000949
SysFreeString.OLEAUT32(?), ref: 0100097D
VariantClear.OLEAUT32(?), ref: 0100098A

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ByteCharClearH_prolog3_MultiStringVariantWide$AllocFreefreememset
String ID:
API String ID: 3350116639-0
Opcode ID: 84fb2d244943990c26a5ab5b3e41957a750fba4c18f8668b50e7862612c0bac3
Instruction ID: 524ab60fb22539687be2023450ca8822ecd2f22c347fbce81d72ab9e7b67060e
Opcode Fuzzy Hash: 84fb2d244943990c26a5ab5b3e41957a750fba4c18f8668b50e7862612c0bac3
Instruction Fuzzy Hash: 9631DE319001299BDB26EB64CC59FEEB778EF45700F004098FA4AA72A0CB356F85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01005EFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 01005F4B
std::tr1::_Xmem.LIBCPMT ref: 01005F70

Part of subcall function 0100CA2B: malloc.MSVCRT ref: 0100CA42

Strings

`f-, xrefs: 01005E91, 01005EA1, 01005F02
`f-, xrefs: 01005F03, 01005F82, 01005E8E, 01005E90, 01005F86, 01005F87

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ??3@Xmemmallocstd::tr1::_
String ID: `f-$`f-
API String ID: 1885858825-3772381044
Opcode ID: 5fac11adfc1e7b783fbe92c3bb953b0273da701e3e5b9f1b1f2b0ecdf158786e
Instruction ID: 92cd6a0d2f1fe5a2d62a657346b821bbda5632d528d2d0b60bd1f3144e8330a2
Opcode Fuzzy Hash: 5fac11adfc1e7b783fbe92c3bb953b0273da701e3e5b9f1b1f2b0ecdf158786e
Instruction Fuzzy Hash: A10149725041249FEB19DF5CCD85A5ABBEDDF99620F14429EE904CF284DA71DD008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010013B6 Relevance: 6.3, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

rand.MSVCRT ref: 010013BF
rand.MSVCRT ref: 010013D1
rand.MSVCRT ref: 010013EF
rand.MSVCRT ref: 0100140B
rand.MSVCRT ref: 01001429

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: rand
String ID:
API String ID: 415692148-0
Opcode ID: 51956e6ae83cd3a59a7f2f34235fa61e50ecba9beb1cf86ed339bc6f23d34e72
Instruction ID: 2b0c8c80584b814e0526f541727518bcf33a8f472a281a7d77e70d61d3ea229a
Opcode Fuzzy Hash: 51956e6ae83cd3a59a7f2f34235fa61e50ecba9beb1cf86ed339bc6f23d34e72
Instruction Fuzzy Hash: 1101F777E1122A6BE350DAA4D8863297692DB84210F1A0130FA3CD7285C93D9C21A6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01001490 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 01001502
__aullrem.LIBCMT ref: 010015DE
__aulldiv.LIBCMT ref: 01001602
__aullrem.LIBCMT ref: 0100161D

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: __aullrem$__aulldiv
String ID:
API String ID: 3670715282-0
Opcode ID: 754fef53222c85af97132c4c6f2970ad45c246b85e278bd0114cd496febdb416
Instruction ID: faf415943e0f6547fd394ed7317787dbaec9927cf68307402a073d75cb0dd6e6
Opcode Fuzzy Hash: 754fef53222c85af97132c4c6f2970ad45c246b85e278bd0114cd496febdb416
Instruction Fuzzy Hash: A45159B19083119FD751CF18C880A1ABBE6FF88364F19469DE8C4A7292CB30ED548B92

Uniqueness

Uniqueness Score: -1.00%

Function 01000790 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01000797

Part of subcall function 00FFF10B: SysFreeString.OLEAUT32 ref: 00FFF143

_wtoi.MSVCRT ref: 0100081D
SysFreeString.OLEAUT32(?), ref: 0100082C
SysFreeString.OLEAUT32(?), ref: 0100083D

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: FreeString$H_prolog3__wtoi
String ID:
API String ID: 2138719750-0
Opcode ID: 41ae6fd0c535c982a63b928990b4046ecb32f7b48f9331838b77de1a1b621f82
Instruction ID: 337d95150dea509e463a73f910bcdb1ec464ed83450dd6e813f1ac13158f10c9
Opcode Fuzzy Hash: 41ae6fd0c535c982a63b928990b4046ecb32f7b48f9331838b77de1a1b621f82
Instruction Fuzzy Hash: A1217331A0010ADFDF15DF54C854BAD7BB5FF58314F114058E592A72A0CB3AAE46DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010009AA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 010009B1

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

_wtoi64.MSVCRT ref: 01000A1B
SysFreeString.OLEAUT32(?), ref: 01000A2D
VariantClear.OLEAUT32(?), ref: 01000A37

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_StringVariant$AllocByteCharFreeMultiWide_wtoi64free
String ID:
API String ID: 109575796-0
Opcode ID: ef7b70017146e246f3cc783d949591de20883628cffdc74875b8d6188690a10e
Instruction ID: 90b716e447fe58e74298b90f6a179a3e516ed2d25a32cff0f7b20ff2139df26d
Opcode Fuzzy Hash: ef7b70017146e246f3cc783d949591de20883628cffdc74875b8d6188690a10e
Instruction Fuzzy Hash: 37119031D0021ADFDF12DFA8C814AEDBBB5EF18314F118054FA55A72A0DB3A9E46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010006E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 010006F0

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

_wtoi.MSVCRT ref: 0100075A
SysFreeString.OLEAUT32(?), ref: 01000769
VariantClear.OLEAUT32(?), ref: 01000773

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ClearH_prolog3_StringVariant$AllocByteCharFreeMultiWide_wtoifree
String ID:
API String ID: 1474463088-0
Opcode ID: 399aa3c9bd8e0e365e569fb6aa3712475067ab1075a3af58ffae4b0f5d129b99
Instruction ID: 40c9db394b83cdaeec24a6c4717d03918d8c315b1ae984457bc1a440055835a8
Opcode Fuzzy Hash: 399aa3c9bd8e0e365e569fb6aa3712475067ab1075a3af58ffae4b0f5d129b99
Instruction Fuzzy Hash: 60119031D0061ADFDF12EBA4C844AEDBBB5AF18310F114054EA55A7290DB3A9D05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF06F Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 00FFF088
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 00FFF096
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,?,?,000000FF,00000000,00000000), ref: 00FFF0AC
SysFreeString.OLEAUT32(00000000), ref: 00FFF0B8

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID:
API String ID: 447844807-0
Opcode ID: aed37c0e11a8c8c54c6d71e807b4d6992f2676cc8d69bee3c3fc9f3f52cf8099
Instruction ID: fdfe13769956afd196539a3ae7a0ef9407409d3bde8760f501f0074a0e098610
Opcode Fuzzy Hash: aed37c0e11a8c8c54c6d71e807b4d6992f2676cc8d69bee3c3fc9f3f52cf8099
Instruction Fuzzy Hash: 83F02832604119BBD33146869C4CE7BBE6DDF82370B200325F61CD3291DE655D04D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFEA9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00FFEB9F
std::tr1::_Xmem.LIBCPMT ref: 00FFEBC2

Strings

8, xrefs: 00FFEB61

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ??3@Xmemstd::tr1::_
String ID: 8
API String ID: 2676974237-4194326291
Opcode ID: c3b56df8e51e3b92a216a6b30eddd35d26b615d52275591815267002ea85ee33
Instruction ID: bf97823014c8274cc1caccaa7503553b3ab839eadb32ab42226a1e48816142f5
Opcode Fuzzy Hash: c3b56df8e51e3b92a216a6b30eddd35d26b615d52275591815267002ea85ee33
Instruction Fuzzy Hash: 7031D976B0021A9BCB04DFA9C99546DFBA9EFD8310B24412AEB06D3360D674ED10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFBF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00FFFC00

Part of subcall function 00FFF15E: __EH_prolog3_GS.LIBCMT ref: 00FFF165
Part of subcall function 00FFF15E: VariantClear.OLEAUT32 ref: 00FFF17A
Part of subcall function 00FFF15E: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,-00000008,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF215
Part of subcall function 00FFF15E: SysAllocString.OLEAUT32(00000000), ref: 00FFF228
Part of subcall function 00FFF15E: free.MSVCRT(00000000,?,00000014,01000AA9,?,00000020,00FFF785,?,//Profile/ETW/Process,?), ref: 00FFF257

VariantClear.OLEAUT32(?), ref: 00FFFD1C

Part of subcall function 00FFFFFD: __EH_prolog3_GS.LIBCMT ref: 01000004

Part of subcall function 00FFCA85: __EH_prolog3_GS.LIBCMT ref: 00FFCA8F

Strings

Targets/Target, xrefs: 00FFFC13

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: H_prolog3_$ClearVariant$AllocByteCharMultiStringWidefree
String ID: Targets/Target
API String ID: 2883521150-4232948680
Opcode ID: b34205e79fd100ee6e49fac35311a9f0677439bc0b5812f0a23ab991dfb2db0e
Instruction ID: 44a81d6f55470117c789c9ec986dcd904a8a16ad8d3283e19061c005618d525a
Opcode Fuzzy Hash: b34205e79fd100ee6e49fac35311a9f0677439bc0b5812f0a23ab991dfb2db0e
Instruction Fuzzy Hash: B0317A3180122DDFEB25EB64CC44BADB774AF04310F1141E9EA09B32A0DB746E89DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100C7D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0100C7F2
_CxxThrowException.MSVCRT(?,01010758), ref: 0100C845

Strings

IoBucketizer has not been initialized, xrefs: 0100C82F

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: ExceptionThrow__aulldiv
String ID: IoBucketizer has not been initialized
API String ID: 1607158013-2369748627
Opcode ID: 2afbcd9035d8b02c1dc50b51574964b34b3ed57ad59e317f7eb2c94cd0b40e25
Instruction ID: d688e2fd04d133329fd3ffc90cd00f2694bb699cc7838571f2eded4472a51483
Opcode Fuzzy Hash: 2afbcd9035d8b02c1dc50b51574964b34b3ed57ad59e317f7eb2c94cd0b40e25
Instruction Fuzzy Hash: E801B532900114ABEB12EE94C980D99F7B9FB54320F0982E1ED999F055D730F911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010031FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 01003212

Part of subcall function 010031AA: TerminateThread.KERNEL32(?,00000000), ref: 010031C9

Strings

Error signaling start event, xrefs: 0100321C

Memory Dump Source

Source File: 0000000A.00000002.2579064630.0000000000FF1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00FF0000, based on PE: true

Associated: 0000000A.00000002.2579043704.0000000000FF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579089793.0000000001011000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 0000000A.00000002.2579103095.0000000001012000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ff0000_diskspd.jbxd

Similarity

API ID: EventTerminateThread
String ID: Error signaling start event
API String ID: 2007589259-38563648
Opcode ID: 8daef61600e79882f54dd55fc5a414cc2e50afad6e54985f5c5172807b466559
Instruction ID: ac72797f8c2e8789713939f52bd5a4897d7b545224be5f4ca9059d3bc80e4a31
Opcode Fuzzy Hash: 8daef61600e79882f54dd55fc5a414cc2e50afad6e54985f5c5172807b466559
Instruction Fuzzy Hash: B1E0DF30008305EFF7272F25E8087993BA6BF10B10F608004F6C5080D5CBBED590C766

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: FastSRV.exePID: 8112, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2%
Total number of Nodes:	1989
Total number of Limit Nodes:	38

Executed Functions

Function 01001260 Relevance: 79.0, APIs: 31, Strings: 14, Instructions: 216
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0100127D
WTSQueryUserToken.WTSAPI32(00000000,?), ref: 010012A3
GetTokenInformation.KERNELBASE(?,00000013(TokenIntegrityLevel),00000000,00000004,?), ref: 010012DD
GetLastError.KERNEL32 ref: 010012ED
wsprintfW.USER32 ref: 01001300
CloseHandle.KERNEL32(?,?,00000001), ref: 010013DE
wsprintfW.USER32 ref: 0100142D
CreateProcessAsUserW.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000480,?,00000000,?,?), ref: 01001462
CloseHandle.KERNEL32(?), ref: 01001479
CloseHandle.KERNEL32(?), ref: 01001481
DestroyEnvironmentBlock.USERENV(?), ref: 01001489
CloseHandle.KERNEL32(?), ref: 01001495
CloseHandle.KERNEL32(?), ref: 0100149D

Strings

%ws\fast!\fast!.exe, xrefs: 01001427
Fast user: Create Process Error %d, xrefs: 010014B9
Fast user: Query User Token Error %d, xrefs: 0100153B
Fast user: Duplicate Token Error, xrefs: 0100133E
, xrefs: 0100138D
Fast user: Convert SID error, xrefs: 01001377
Fast user: Set Token Info Error, xrefs: 010013C0
ProgramFiles, xrefs: 0100140C
Fast user: Token Error %d, xrefs: 010012F6
S-1-5-32-544, xrefs: 0100135E
Fast user: Set Token Info Error, xrefs: 010012FB, 01001343, 0100137C, 010013C5, 010014BE, 01001503, 01001540
D, xrefs: 010013FA
Fast user: Create Env Block Error %d, xrefs: 010014FE
winsta0\default, xrefs: 01001411

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CloseHandle$TokenUserwsprintf$ActiveBlockConsoleCreateDestroyEnvironmentErrorInformationLastProcessQuerySession
String ID: $%ws\fast!\fast!.exe$D$Fast user: Convert SID error$Fast user: Create Env Block Error %d$Fast user: Create Process Error %d$Fast user: Duplicate Token Error$Fast user: Query User Token Error %d$Fast user: Set Token Info Error$Fast user: Set Token Info Error$Fast user: Token Error %d$ProgramFiles$S-1-5-32-544$winsta0\default
API String ID: 413331851-1399582880
Opcode ID: 64712e0c7304b8208f91786f9d903606ef6980714a1a3ac97c3109c22ce450bb
Instruction ID: ab5d114ffc15247e64f11aa1d0a43fbe88baefa2e9cd6784cc073ee5507e6e27
Opcode Fuzzy Hash: 64712e0c7304b8208f91786f9d903606ef6980714a1a3ac97c3109c22ce450bb
Instruction Fuzzy Hash: 7C71C2B0A4021CAFEB31AB65DC45BDDBBB8EF44305F0044E9F788B6181DA755E848F69

Uniqueness

Uniqueness Score: -1.00%

Function 01001050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 01001076
GetLastError.KERNEL32 ref: 01001080

Strings

FastSRV, xrefs: 01001059

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CtrlDispatcherErrorLastServiceStart
String ID: FastSRV
API String ID: 3783796564-1196406248
Opcode ID: 5706f9d75027b9cf86725c67978299c19e881519fbb8bb648bd5f5557bd0c61f
Instruction ID: e1d7d3a0ae41b2b13d237074595395c20afd3e3d11f5407940a6c2c6ec9b079e
Opcode Fuzzy Hash: 5706f9d75027b9cf86725c67978299c19e881519fbb8bb648bd5f5557bd0c61f
Instruction Fuzzy Hash: D0E0E6B0A0520C9BEB51DFE4D90936EBBFCEB04305F1045D5FC9CA2245E77A55148BE2

Uniqueness

Uniqueness Score: -1.00%

Function 01001090 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65
registrysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32(FastSRV,Function_000011F0,00000000), ref: 0100109C
SetServiceStatus.SECHOST(00000000,01016668), ref: 01001102
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0100110C
GetLastError.KERNEL32 ref: 0100112A
SetServiceStatus.ADVAPI32(01016668), ref: 0100114A
SetServiceStatus.ADVAPI32(01016668), ref: 01001183
CreateThread.KERNELBASE(00000000,00000000,Function_00001570,00000000,00000000,00000000), ref: 01001194
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0100119D
CloseHandle.KERNEL32 ref: 010011A9
SetServiceStatus.ADVAPI32(01016668), ref: 010011E2

Strings

FastSRV, xrefs: 01001097

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: Service$Status$Create$CloseCtrlErrorEventHandleHandlerLastObjectRegisterSingleThreadWait
String ID: FastSRV
API String ID: 4143498620-1196406248
Opcode ID: f1daa68c2eb946cc0ecf22fbeb65269e88e250eccbb942f96c121ed51e011791
Instruction ID: 46ae724c04108d4631bca1bbf000dc8aa0029393d5eeb290c2ce1c31424dd9ab
Opcode Fuzzy Hash: f1daa68c2eb946cc0ecf22fbeb65269e88e250eccbb942f96c121ed51e011791
Instruction Fuzzy Hash: F0218CB1681300AAE3619F61FC09B453AB1B719B09F104A09F6C4AA2CCCBFF5048CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01001570 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01001260: WTSGetActiveConsoleSessionId.KERNEL32 ref: 0100127D

WaitForSingleObject.KERNEL32(00000000), ref: 0100158D
WTSGetActiveConsoleSessionId.KERNEL32 ref: 010015A0
wsprintfW.USER32 ref: 010015B3
Sleep.KERNELBASE(00002710), ref: 010015C9

Part of subcall function 01001260: WTSQueryUserToken.WTSAPI32(00000000,?), ref: 010012A3
Part of subcall function 01001260: GetTokenInformation.KERNELBASE(?,00000013(TokenIntegrityLevel),00000000,00000004,?), ref: 010012DD
Part of subcall function 01001260: GetLastError.KERNEL32 ref: 010012ED
Part of subcall function 01001260: wsprintfW.USER32 ref: 01001300
Part of subcall function 01001260: CloseHandle.KERNEL32(?,?,00000001), ref: 010013DE
Part of subcall function 01001260: wsprintfW.USER32 ref: 0100142D
Part of subcall function 01001260: CreateProcessAsUserW.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000480,?,00000000,?,?), ref: 01001462
Part of subcall function 01001260: CloseHandle.KERNEL32(?), ref: 01001479
Part of subcall function 01001260: CloseHandle.KERNEL32(?), ref: 01001481
Part of subcall function 01001260: DestroyEnvironmentBlock.USERENV(?), ref: 01001489
Part of subcall function 01001260: CloseHandle.KERNEL32(?), ref: 01001495
Part of subcall function 01001260: CloseHandle.KERNEL32(?), ref: 0100149D

Sleep.KERNELBASE(000007D0), ref: 010015E3
WaitForSingleObject.KERNEL32(00000000), ref: 010015ED

Strings

Fast user: id:%d, xrefs: 010015A9
Fast user: Set Token Info Error, xrefs: 010015AE

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CloseHandle$wsprintf$ActiveConsoleObjectSessionSingleSleepTokenUserWait$BlockCreateDestroyEnvironmentErrorInformationLastProcessQuery
String ID: Fast user: Set Token Info Error$Fast user: id:%d
API String ID: 4272876791-1331704477
Opcode ID: 2039482f77bbf2533cbad1b19a3c4da02e84a617ca1ea0208b3988127e295bb3
Instruction ID: 6910f78e2124235c93019ad7748e70a5ab9e6ce557ecd7049d1c6338d1f583b2
Opcode Fuzzy Hash: 2039482f77bbf2533cbad1b19a3c4da02e84a617ca1ea0208b3988127e295bb3
Instruction Fuzzy Hash: BC014931640204EBF6326769EC46B763B94FFC2361F040225FDC8BE0C4EA7A981087A5

Uniqueness

Uniqueness Score: -1.00%

Function 01007E66 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,01007F75,010089BC,?,00000000,00000000,00000000,?,0100812C,00000022,FlsSetValue,0100FADC,0100FAE4,00000000), ref: 01007F27

Strings

api-ms-, xrefs: 01007EBD
ext-ms-, xrefs: 01007ED1

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 41fe3116773a18effdcfb23a9b182290d736d8c9b6c4efcddc8afa518310ec16
Instruction ID: 54807c466df1879ee4e31309b94dc562260b69e95ee1075d15d8b8f877c5e2b2
Opcode Fuzzy Hash: 41fe3116773a18effdcfb23a9b182290d736d8c9b6c4efcddc8afa518310ec16
Instruction Fuzzy Hash: 5C213572A02151ABFB338B28DC40A6E3798AB45360F244568FEC1A72C1D779FD00C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01004DEF Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,01004DE9,00000000,01004768,?,?,4F93FE85,01004768,?), ref: 01004E00
TerminateProcess.KERNEL32(00000000,?,01004DE9,00000000,01004768,?,?,4F93FE85,01004768,?), ref: 01004E07
ExitProcess.KERNEL32 ref: 01004E19

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c3a80813062dbd60fb1a53c38aeffea290218a233e1127c0a71cc2b376a93079
Instruction ID: e87e1e953628bb73eaf52f84b4c6d31ac6f6e0a50c7b52ebcc4787ef2be6ca50
Opcode Fuzzy Hash: c3a80813062dbd60fb1a53c38aeffea290218a233e1127c0a71cc2b376a93079
Instruction Fuzzy Hash: 65D09E71404149AFEF636F60EC0C9997F2AEF40341F444820BB89960A6DB769D92DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01007F31 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff44f0526ab1547c26c95ba33bf05e96066cc2eef19305b050ba4ba4ae397915
Instruction ID: 5e5c9679957f1b56c754cd5b94eb29aaca0b7c40350c945d7f814a3637be5009
Opcode Fuzzy Hash: ff44f0526ab1547c26c95ba33bf05e96066cc2eef19305b050ba4ba4ae397915
Instruction Fuzzy Hash: AC01B9336143159FBF278AACEC40A6A7795F7C57A0B148129FAC5DB1C8DB39E84087A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01001E96 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01001EA2
IsDebuggerPresent.KERNEL32 ref: 01001F6E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01001F8E
UnhandledExceptionFilter.KERNEL32(?), ref: 01001F98

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4f394d1ed1dfe7ff48c41e4412181afe2d82111011b586110527457bdf655b30
Instruction ID: 54b636335c85eda3585c4fa4cfae0f80e3f08749e9f0e7446770409e4cde938e
Opcode Fuzzy Hash: 4f394d1ed1dfe7ff48c41e4412181afe2d82111011b586110527457bdf655b30
Instruction Fuzzy Hash: 6E311A75D0531D9BEB22EF64D9897CDBBB8AF04300F1041EAE44CAB280EB759A858F45

Uniqueness

Uniqueness Score: -1.00%

Function 010015FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 01001020: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,0100162D,?,?,?,0100100A), ref: 01001025
Part of subcall function 01001020: GetLastError.KERNEL32(?,?,?,0100100A), ref: 0100102F

IsDebuggerPresent.KERNEL32(?,?,?,0100100A), ref: 01001631
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0100100A), ref: 01001640

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0100163B

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 708f496a166c84ec5df9bb9dc7e1c6898d8f8b72d2d931fb32a1924a7afe844a
Instruction ID: 1ebde5a04a4dcd863f1e1c1e420db27aafc47aaa26aff64df1251dc082d8d1eb
Opcode Fuzzy Hash: 708f496a166c84ec5df9bb9dc7e1c6898d8f8b72d2d931fb32a1924a7afe844a
Instruction Fuzzy Hash: 1EE0ED706017418BF372DF65D9083827AE4AB18744F048C5DF8D5D7684EBBAD4448B91

Uniqueness

Uniqueness Score: -1.00%

Function 01001CB2 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 01001CC8

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 60e8f6795450a10e0b1242697ecd7593ff1863e47b8bb6552e701b297366f042
Instruction ID: 07050bed4e6678164eed65d26a2fc72180c53b370121594274566efc7a70eccc
Opcode Fuzzy Hash: 60e8f6795450a10e0b1242697ecd7593ff1863e47b8bb6552e701b297366f042
Instruction Fuzzy Hash: 6951A171A146098FFB26DF68D8817AEBBF0FB88300F14856AD595EB284D779D940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01008275 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 01008275

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 12d14dc2b158340c64a4f2ea693d07e577e8befcd9dca896c0739b9f608d2a9f
Instruction ID: 183626e0166e930149a44db137a9c8d42709a9ce831181cb2d62cc892bf08dd6
Opcode Fuzzy Hash: 12d14dc2b158340c64a4f2ea693d07e577e8befcd9dca896c0739b9f608d2a9f
Instruction Fuzzy Hash: 9DA002F07016018B97618F359705349369955455917058455B555D5154D67F44505F01

Uniqueness

Uniqueness Score: -1.00%

Function 010033DB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 010034FA
___TypeMatch.LIBVCRUNTIME ref: 01003608
_UnwindNestedFrames.LIBCMT ref: 0100375A
CallUnexpected.LIBVCRUNTIME ref: 01003775

Strings

csm, xrefs: 01003485
csm, xrefs: 01003418
csm, xrefs: 01003531

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 3209422f13d6c6a475e3a3a3ea3ef66461ac114d940d53199cc3d72b4935801d
Instruction ID: 979bfbff74251e4725c559505fe11c74a220484b78bf5a607de6d34abb22b745
Opcode Fuzzy Hash: 3209422f13d6c6a475e3a3a3ea3ef66461ac114d940d53199cc3d72b4935801d
Instruction Fuzzy Hash: 4CB17075800209DFEF27DFA8C8409AEBBB5BF14310F15419AE9856F292D731DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01002EE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01002F17
___except_validate_context_record.LIBVCRUNTIME ref: 01002F1F
_ValidateLocalCookies.LIBCMT ref: 01002FA8
__IsNonwritableInCurrentImage.LIBCMT ref: 01002FD3
_ValidateLocalCookies.LIBCMT ref: 01003028

Strings

csm, xrefs: 01002FBD

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e6de1b31dd462b6a3b89a5264cf0e9f1c87ce863cfbd70474b5ef905a40361ee
Instruction ID: dc70ad097eadfa485497099fc110e8eaf4d23ff00810350a906c4ecdbdbfcfa3
Opcode Fuzzy Hash: e6de1b31dd462b6a3b89a5264cf0e9f1c87ce863cfbd70474b5ef905a40361ee
Instruction Fuzzy Hash: 0D41B434A0020AAFEF12DF68C848AEEBFF5BF45354F0481A9E9949B3D1C7319901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010030A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0100309B,0100277E,0100204B), ref: 010030B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 010030C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010030D9
SetLastError.KERNEL32(00000000,0100309B,0100277E,0100204B), ref: 0100312B

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 04fbc1a8dd061749ec5b675262bc0d4cdd5f527ba2ba46bc9307be1e46000e01
Instruction ID: c2482582486d9bd9aac8e14d5c75cb766814715c09c5abec4e19530e9de88ab6
Opcode Fuzzy Hash: 04fbc1a8dd061749ec5b675262bc0d4cdd5f527ba2ba46bc9307be1e46000e01
Instruction Fuzzy Hash: D301FC3221A2125DF6B766B8BC945DB2BB4FF566B1F20433AF6D09D0D4EF1F49014294

Uniqueness

Uniqueness Score: -1.00%

Function 01004E39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4F93FE85,?,?,00000000,0100DDAA,000000FF,?,01004E15,?,?,01004DE9,00000000), ref: 01004E6E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01004E80
FreeLibrary.KERNEL32(00000000,?,00000000,0100DDAA,000000FF,?,01004E15,?,?,01004DE9,00000000), ref: 01004EA2

Strings

CorExitProcess, xrefs: 01004E78
mscoree.dll, xrefs: 01004E67

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84a555ce2935e4fc565eaaaf1f7bd67e4fc792c639c65b89877fb7282a64f87e
Instruction ID: 0fcab054edcde602d666e2b3061d31327d496dc71a3310cd76cc6968987b7fac
Opcode Fuzzy Hash: 84a555ce2935e4fc565eaaaf1f7bd67e4fc792c639c65b89877fb7282a64f87e
Instruction Fuzzy Hash: 7B01A771504655AFEB239B54CC05BAEBBB8FB04B11F00492AF951F62C4DB799800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0100A430 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0100A4B5
__alloca_probe_16.LIBCMT ref: 0100A57E
__freea.LIBCMT ref: 0100A5E5

Part of subcall function 01009290: HeapAlloc.KERNEL32(00000000,00000000,?,?,00000003,01004768,?,010046D7,?,00000000,010048E6), ref: 010092C2

__freea.LIBCMT ref: 0100A5F8
__freea.LIBCMT ref: 0100A605

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 0f3c54f18e69fb0257098e4937f1f519ee9503683d75d5241b34eb576cb83c21
Instruction ID: 4a6237faee1bab2cc3191f4aa951a775fbaf666ee9f5dd433998e506a780beb0
Opcode Fuzzy Hash: 0f3c54f18e69fb0257098e4937f1f519ee9503683d75d5241b34eb576cb83c21
Instruction Fuzzy Hash: D951A0B2700306EFFB229E688C45EEF3BE9EF98650F154169FA8497180EB75DC508660

Uniqueness

Uniqueness Score: -1.00%

Function 01004237 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,010041E8,00000000,?,01015CCC,?,?,?,0100438B,00000004,InitializeCriticalSectionEx,0100ED60,InitializeCriticalSectionEx), ref: 01004244
GetLastError.KERNEL32(?,010041E8,00000000,?,01015CCC,?,?,?,0100438B,00000004,InitializeCriticalSectionEx,0100ED60,InitializeCriticalSectionEx,00000000,?,01003FD2), ref: 0100424E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 01004276

Strings

api-ms-, xrefs: 0100425B

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: b5f40e74117183cf202323e9986ab7e8c5cb2aedd61a9484a46c013816da5be7
Instruction ID: 4c9cabd7e07c1716f68e2bf9cea200c8120e712637d8383a2aec4953f016caae
Opcode Fuzzy Hash: b5f40e74117183cf202323e9986ab7e8c5cb2aedd61a9484a46c013816da5be7
Instruction Fuzzy Hash: F5E01A70384208B6FF631BA5EC46B587A99AB00B50F548860FA8DF81D1EB6695508A68

Uniqueness

Uniqueness Score: -1.00%

Function 0100A812 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(4F93FE85,00000000,00000000,?), ref: 0100A875

Part of subcall function 01007961: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0100A5DB,?,00000000,-00000008), ref: 010079C2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0100AAC7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0100AB0D
GetLastError.KERNEL32 ref: 0100ABB0

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ae5a57b96fd76f62bad57d1f2f73d64b9e09baa84f4987f0a564a12cd2aaeb92
Instruction ID: e4da44d81a13f470a345b3b52ad13d607cc5a25b860984849705183467f380fe
Opcode Fuzzy Hash: ae5a57b96fd76f62bad57d1f2f73d64b9e09baa84f4987f0a564a12cd2aaeb92
Instruction Fuzzy Hash: 86D18B75E00648DFEB16CFA8C8809EDBBB5FF09310F14456AE596EB382D734A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01003184 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0100324B
___AdjustPointer.LIBCMT ref: 0100326E
___AdjustPointer.LIBCMT ref: 0100330A

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a8c041e28c02601372359745515d5475f036de21f387d150e8b86e387ffe1aea
Instruction ID: 02a30aca6a24c33ed4993b6ebb4419e965c74e89a32b5f34ff1ccc1a669a0741
Opcode Fuzzy Hash: a8c041e28c02601372359745515d5475f036de21f387d150e8b86e387ffe1aea
Instruction Fuzzy Hash: 5251BE72604602AFFB2B9F58D944BAABBE4FF48310F14456DE9859F2D1EB31E840C790

Uniqueness

Uniqueness Score: -1.00%

Function 0100BFE8 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0100B80C,00000000,00000001,00000000,?,?,0100AC04,?,00000000,00000000), ref: 0100BFFF
GetLastError.KERNEL32(?,0100B80C,00000000,00000001,00000000,?,?,0100AC04,?,00000000,00000000,?,?,?,0100B1A7,00000000), ref: 0100C00B

Part of subcall function 0100BFD1: CloseHandle.KERNEL32(FFFFFFFE,0100C01B,?,0100B80C,00000000,00000001,00000000,?,?,0100AC04,?,00000000,00000000,?,?), ref: 0100BFE1

___initconout.LIBCMT ref: 0100C01B

Part of subcall function 0100BF93: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0100BFC2,0100B7F9,?,?,0100AC04,?,00000000,00000000,?), ref: 0100BFA6

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0100B80C,00000000,00000001,00000000,?,?,0100AC04,?,00000000,00000000,?), ref: 0100C030

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 693d9f13b7182ec2b590414d55a5e988cfa8388753ed0141b4b79383803ef35a
Instruction ID: 439e07079843d7246edd9cc757b107963c4a86a68e13b3dd62055ff3f222b0c8
Opcode Fuzzy Hash: 693d9f13b7182ec2b590414d55a5e988cfa8388753ed0141b4b79383803ef35a
Instruction Fuzzy Hash: 20F0303A000115FBEF336FA5DC04A993F66FB493A0F144551FE88A61A0C637C960DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01003780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 010037A5

Strings

RCC, xrefs: 010037BF
MOC, xrefs: 010037B7

Memory Dump Source

Source File: 0000000D.00000002.2893641595.0000000001001000.00000020.00000001.01000000.00000013.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.2893586532.0000000001000000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893685846.000000000100E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893862125.0000000001015000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000D.00000002.2893900092.0000000001017000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_FastSRV.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9e52e50de40340c70bc59a8cf90e5b377c743c80f751e883a2407ef4fb1d6a9b
Instruction ID: e1ebbaa142cf464d0dbcd6152fa4c3e8a403298c7bc98ee36dfaaa6498b3cf2e
Opcode Fuzzy Hash: 9e52e50de40340c70bc59a8cf90e5b377c743c80f751e883a2407ef4fb1d6a9b
Instruction Fuzzy Hash: A3416C71900209EFEF17DF98CC84AEEBBB5BF48314F18409AFA486B291D3359A51DB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: fast!.exePID: 7528, Parent PID: 7664COMMON

Executed Functions

Function 00251E10 Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 816sleeppipeCOMMON

Download Yara Rule

APIs

Part of subcall function 00258080: __Mtx_unlock.LIBCPMT ref: 0025813C

OpenEventW.KERNEL32(001F0003,00000001,Local\fast!,/noui), ref: 00251F7C
PulseEvent.KERNEL32(000001A8), ref: 00251F98
CreateEventW.KERNEL32(00000000,00000000,00000000,Local\fast!), ref: 00251FAE
GetTickCount64.KERNEL32 ref: 00252374
GetTickCount64.KERNEL32 ref: 002523A2
GetTickCount64.KERNEL32 ref: 002523D0

Part of subcall function 00252BC0: Concurrency::cancel_current_task.LIBCPMT ref: 00252D6B

CreateNamedPipeW.KERNEL32(\\.\pipe\veryfastapp,00000003,00000000,00000001,00004000,00004000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00252772
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?), ref: 002527A7
ShellExecuteW.SHELL32(00000000,open,nwjs\nw,ui\.,00000000,00000001), ref: 002527CC
Sleep.KERNEL32(00000064,00000001,?,?,?,?,?,?,?,?), ref: 002527F2

Part of subcall function 002357C0: __Mtx_destroy_in_situ.LIBCPMT ref: 0023580E

Part of subcall function 0023FFC0: ControlService.ADVAPI32(?,00000001,?,DBCFA47E), ref: 00240012
Part of subcall function 0023FFC0: CloseServiceHandle.ADVAPI32(?), ref: 0024001B
Part of subcall function 0023FFC0: CloseServiceHandle.ADVAPI32(?,DBCFA47E), ref: 00240029

__Mtx_unlock.LIBCPMT ref: 002528A9
__Mtx_destroy_in_situ.LIBCPMT ref: 002528C3
FreeLibrary.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?), ref: 002528FD
std::_Throw_Cpp_error.LIBCPMT ref: 0025296B
std::_Throw_Cpp_error.LIBCPMT ref: 00252979

Strings

open, xrefs: 002527C5
@[+, xrefs: 00252778
y, xrefs: 00252385
Error: can't change dir!, xrefs: 00251C81, 00251C9E
D[+, xrefs: 00252795
ui\., xrefs: 002527BB
Error, xrefs: 00251CD2, 00251CEC
Local\fast!, xrefs: 00251F70, 00251FA3
\, xrefs: 00251C23
{, xrefs: 002523B3
9[+, xrefs: 00251F5E
\\.\pipe\veryfastapp, xrefs: 0025276D
/noui, xrefs: 00251EDA, 00251EF0
<[+, xrefs: 00251F82
nwjs\nw, xrefs: 002527C0

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Count64EventServiceTick$CloseCpp_errorCreateHandleMtx_destroy_in_situMtx_unlockSleepThrow_std::_$Concurrency::cancel_current_taskControlExecuteFreeLibraryNamedOpenPipePulseShell
String ID: /noui$9[+$<[+$@[+$D[+$Error$Error: can't change dir!$Local\fast!$\$\\.\pipe\veryfastapp$nwjs\nw$open$ui\.$y${
API String ID: 55455292-666999745
Opcode ID: cda9a272898c480fb10093faec1851cf30e536577cc947fd88ecda7b20ef3a2f
Instruction ID: 7820fd311e715199401a09750801557f744ff7a4875366322e03e698ce4f37c0
Opcode Fuzzy Hash: cda9a272898c480fb10093faec1851cf30e536577cc947fd88ecda7b20ef3a2f
Instruction Fuzzy Hash: 24728070A11219DFDB24DF60CC94BE9B7B4BF05305F1440E9E909AB281EB71AE98CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0024DB70 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 576
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,DBCFA47E,00000000,?), ref: 0024DBC5
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 0024DC51
CoCreateInstance.OLE32(0029C410,00000000,00000001,0029C400,00000000), ref: 0024DC78
SysFreeString.OLEAUT32(00000000), ref: 0024DCFC
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0024DD46

Part of subcall function 0024F320: _com_issue_error.COMSUPP ref: 0024F3A4
Part of subcall function 0024F320: SysFreeString.OLEAUT32(-00000001), ref: 0024F3D0

SysFreeString.OLEAUT32(00000000), ref: 0024DDF1
SysFreeString.OLEAUT32(00000000), ref: 0024DE40
VariantInit.OLEAUT32(?), ref: 0024DEE7
VariantInit.OLEAUT32(?), ref: 0024DEFA
VariantClear.OLEAUT32(?), ref: 0024E181
VariantClear.OLEAUT32(00000003), ref: 0024E18E

Strings

WQL, xrefs: 0024DD74
Adapter, xrefs: 0024E04D
|*, xrefs: 0024DBD9
ServiceType, xrefs: 0024DF2D
Own Process, xrefs: 0024E0CD
Share Process, xrefs: 0024E115
ProcessId, xrefs: 0024DF10
File System Driver, xrefs: 0024E00D
Kernel Driver, xrefs: 0024DFD3
Recognizer Driver, xrefs: 0024E08D
SELECT ProcessId, ServiceType FROM Win32_Service, xrefs: 0024DD65

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: FreeStringVariant$ClearInitInitialize$BlanketCreateInstanceProxySecurity_com_issue_error
String ID: |*$Adapter$File System Driver$Kernel Driver$Own Process$ProcessId$Recognizer Driver$SELECT ProcessId, ServiceType FROM Win32_Service$ServiceType$Share Process$WQL
API String ID: 408074110-3463503815
Opcode ID: a17ffb3009eee4cbab646098a2d0936b70c3cd3c5fef1aab8a4c9fde53a0fe70
Instruction ID: 3b424927738b3f9e31858da2c4550433ffac64ef393a995ad9663a68dc8cad47
Opcode Fuzzy Hash: a17ffb3009eee4cbab646098a2d0936b70c3cd3c5fef1aab8a4c9fde53a0fe70
Instruction Fuzzy Hash: 4322C071A10206DBEF28DF64CC45BAEB7B5FF14704F258469E80AEB281EB71AD54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023E500 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,DBCFA47E), ref: 0023E534
GetLastError.KERNEL32(Error), ref: 0023E5CC
GetCurrentProcess.KERNEL32 ref: 0023E62B
OpenProcessToken.ADVAPI32(00000000,00000020,?), ref: 0023E638
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0023E73B
GetLastError.KERNEL32(Error), ref: 0023E6D0

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

GetLastError.KERNEL32(Error), ref: 0023E7D3
FindCloseChangeNotification.KERNELBASE(?), ref: 0023E82B

Strings

LookupPrivilegeValue error., xrefs: 0023E55C, 0023E576
AdjustTokenPrivileges error., xrefs: 0023E763, 0023E77D
Error, xrefs: 0023E5A4, 0023E5BB, 0023E6A8, 0023E6BF, 0023E7AB, 0023E7C2
OpenProcessToken failed with error., xrefs: 0023E660, 0023E67A
SeDebugPrivilege, xrefs: 0023E52D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLastProcess$FindToken$AdjustChangeCloseCurrentHeapLookupNotificationOpenPrivilegePrivilegesResourceValue
String ID: AdjustTokenPrivileges error.$Error$LookupPrivilegeValue error.$OpenProcessToken failed with error.$SeDebugPrivilege
API String ID: 2027225508-1421965758
Opcode ID: 0a125b77dd00229c9ad8664d29aa9057f5404f912715efb4d4e10d4e81eb34b2
Instruction ID: d1419bbe2cc551a02f62ce5c5a72cd332e8eedf1a168fc1444163fbbe4b245d9
Opcode Fuzzy Hash: 0a125b77dd00229c9ad8664d29aa9057f5404f912715efb4d4e10d4e81eb34b2
Instruction Fuzzy Hash: FFA17070A10205EFDB00DFA8D949B9DB7B4EF05314F158258E915BB2D2EB719E19CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00258180 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 307
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,DBCFA47E,?,00000010), ref: 002581C2
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000010), ref: 002581E2
CoCreateInstance.OLE32(0029C410,00000000,00000001,0029C400,?,?,00000010), ref: 00258209
SysFreeString.OLEAUT32(00000000), ref: 0025827D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,00000010), ref: 002582C3
CoUninitialize.OLE32(?,00000010), ref: 002582DF
SysFreeString.OLEAUT32(00000000), ref: 00258376
SysFreeString.OLEAUT32(00000000), ref: 002583CC
VariantClear.OLEAUT32(?), ref: 00258484
CoUninitialize.OLE32(00000000,?,?,00000010), ref: 002584AE

Part of subcall function 0024F410: SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0024F464

Strings

WQL, xrefs: 00258311
UUID, xrefs: 0025844E
SELECT * FROM Win32_ComputerSystemProduct, xrefs: 002582FB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: String$Free$InitializeUninitialize$AllocBlanketClearCreateInstanceProxySecurityVariant
String ID: SELECT * FROM Win32_ComputerSystemProduct$UUID$WQL
API String ID: 3344067834-1925264128
Opcode ID: d2450bf6efbadb380d3868e88c7c976e8f64edf0e00eea7fd79b3d1848301c8c
Instruction ID: 7cb98a8c9bf003be51f0b0751e7458913809d92b6f08bb39ca800054796b4e98
Opcode Fuzzy Hash: d2450bf6efbadb380d3868e88c7c976e8f64edf0e00eea7fd79b3d1848301c8c
Instruction Fuzzy Hash: 6EB18F71A10306ABEB20DF94CC45BAEB7B4EF44B11F244159ED05BB2D0DBB1AD15CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0023DC40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

__Mtx_unlock.LIBCPMT ref: 0023DE0C

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

OpenSCManagerW.ADVAPI32 ref: 0023DD0B
OpenServiceW.ADVAPI32(00000000,?,000F003F), ref: 0023DD21
ControlService.ADVAPI32(00000000,00000001,?), ref: 0023DD44

Strings

FastSrv, xrefs: 0023DCD3, 0023DCE7

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: OpenService$ControlFindHeapManagerMtx_unlockProcessResource
String ID: FastSrv
API String ID: 1621622955-3919950210
Opcode ID: 3889b696e3c5e36d6de1ee37ff77b2c13f48f8c61231c230452645b26160a6b2
Instruction ID: 6265215149b3b2dc939f6b92cfe050dd303c0c58f6a5a8cd97775a7f6d9243e6
Opcode Fuzzy Hash: 3889b696e3c5e36d6de1ee37ff77b2c13f48f8c61231c230452645b26160a6b2
Instruction Fuzzy Hash: 3A51FFB1924706EBD710DF64E846B9AF7F4FF14300F10861AE919A7680EBB5A528CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024F410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0024F464
_com_issue_error.COMSUPP ref: 0024F49B
_com_issue_error.COMSUPP ref: 0024F4A5

Strings

ROOT\CIMV2, xrefs: 0024F451

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _com_issue_error$AllocString
String ID: ROOT\CIMV2
API String ID: 245909816-2786109267
Opcode ID: 254970c9c1aa4d541e170e57e12c5da9138043fac1675204ed8e9cb13676b040
Instruction ID: 239df8b20ef121bd2dc17d595ae748a5b78d51cd7936383ab43370ce31c8cab4
Opcode Fuzzy Hash: 254970c9c1aa4d541e170e57e12c5da9138043fac1675204ed8e9cb13676b040
Instruction Fuzzy Hash: 6F21E672610716EBD7148F58D905B6BB7E8EF45B10F10862EED059BA80CBB4E964CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00258080 Relevance: 4.6, APIs: 3, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Mtx_unlock.LIBCPMT ref: 0025813C

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 00258180: CoInitializeEx.OLE32(00000000,00000000,DBCFA47E,?,00000010), ref: 002581C2
Part of subcall function 00258180: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000010), ref: 002581E2
Part of subcall function 00258180: CoCreateInstance.OLE32(0029C410,00000000,00000001,0029C400,?,?,00000010), ref: 00258209
Part of subcall function 00258180: SysFreeString.OLEAUT32(00000000), ref: 0025827D

std::_Throw_Cpp_error.LIBCPMT ref: 0025815B
std::_Throw_Cpp_error.LIBCPMT ref: 00258168

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorInitializeThrow_std::_$CreateFreeHeapInstanceMtx_unlockProcessSecurityString
String ID:
API String ID: 3244792945-0
Opcode ID: 7393cd93bbec106ea60198f890fb9b2ad7374bc0e55a6b7873d3cabeb7c6f19f
Instruction ID: 01c2da21ea3dc4e1f4bdab8730e36c4a96c522b4647b723e627dcc9944ec915f
Opcode Fuzzy Hash: 7393cd93bbec106ea60198f890fb9b2ad7374bc0e55a6b7873d3cabeb7c6f19f
Instruction Fuzzy Hash: 8E21F970624605DBDB00FF78EC0675A77F4EB04715F004929F818EB391EFB599288B96

Uniqueness

Uniqueness Score: -1.00%

Function 00284AF8 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00284AF2,?,Rs',?,?,DBCFA47E,00277352,?), ref: 00284B09
TerminateProcess.KERNEL32(00000000,?,00284AF2,?,Rs',?,?,DBCFA47E,00277352,?), ref: 00284B10
ExitProcess.KERNEL32 ref: 00284B22

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e92d844e1546b6a4a38eeaab57a37cb879d393e136e3a08660a43507115a3529
Instruction ID: d2ad601731b001bbc607cfdf9201d625e7b2e2e5790fc77959f180e549c3ecf9
Opcode Fuzzy Hash: e92d844e1546b6a4a38eeaab57a37cb879d393e136e3a08660a43507115a3529
Instruction Fuzzy Hash: D9D0923681110AABCF157FA0EC0DA593F2AAF50399B608011B90D5A0B2CB32D962AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00248810 Relevance: 3.3, APIs: 2, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PowerEnumerate.POWRPROF(00000000,00000000,00000000,00000000,00000000,00000000,?,DBCFA47E,?,000000FF), ref: 00248885
PowerEnumerate.POWRPROF(00000000,?,?,00000000,?,00000000,00000000,?,000000FF), ref: 002488DF

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: EnumeratePower
String ID:
API String ID: 3736087620-0
Opcode ID: 29c1cf750080084c512f0cc1695a4907840215d84a214dffe2d883f40d92a05c
Instruction ID: 83587f767cecb88864283d54b4d3611572866f83d363d4a5b9436d5143cdb0fc
Opcode Fuzzy Hash: 29c1cf750080084c512f0cc1695a4907840215d84a214dffe2d883f40d92a05c
Instruction Fuzzy Hash: B3D1A071D206599FDF19CFA8C840AEEFBB5FF49300F14815AE859A7241DB70AA54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002877CB Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877E1
GetLastError.KERNEL32(?,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877EC

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: af05e33b132f4564a56d2c9d4a1aa1e10d504216b9804302a7068b2712e63ca0
Instruction ID: d297a25fa6640d76ddee4d327d032b9895c31d60766eb296b6722b902a32fc55
Opcode Fuzzy Hash: af05e33b132f4564a56d2c9d4a1aa1e10d504216b9804302a7068b2712e63ca0
Instruction Fuzzy Hash: D2E08C32505215EBCB122FE5FC0CBA93A59AB00351F304035FB0C964A0DB308AA0CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00248560 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PowerGetActiveScheme.POWRPROF(00000000,00000000,?,00000000,?,?,00000000), ref: 002486E5

Part of subcall function 00248810: PowerEnumerate.POWRPROF(00000000,00000000,00000000,00000000,00000000,00000000,?,DBCFA47E,?,000000FF), ref: 00248885
Part of subcall function 00248810: PowerEnumerate.POWRPROF(00000000,?,?,00000000,?,00000000,00000000,?,000000FF), ref: 002488DF

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Power$Enumerate$ActiveScheme
String ID:
API String ID: 1701578839-0
Opcode ID: d010be35a7e7f13219c69562cafc80bc036b44debe7eda9d14c573c705852149
Instruction ID: 0c2e7e1832b42d523add314b3a354c593dfbd8c231817cf52e6f7c46a82ee9fa
Opcode Fuzzy Hash: d010be35a7e7f13219c69562cafc80bc036b44debe7eda9d14c573c705852149
Instruction Fuzzy Hash: 255104B0D102099BDB04CFA5C945B9AFBF4FF48300F14C26AE918AB391E775A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00236130 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00236220

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6bac2606d99efb5ca3a66cdc34eb7c2fcbb291db7bcfb996263224a2a646bc0a
Instruction ID: fc4ebf08b20749a5bed8e7edc9a5ad1fbfd2d56ede7be56dd81640a66974c9bf
Opcode Fuzzy Hash: 6bac2606d99efb5ca3a66cdc34eb7c2fcbb291db7bcfb996263224a2a646bc0a
Instruction Fuzzy Hash: 8E213AB3A201116BDF2C9E6CC89962AB39DDB84361B19C73AEC4EC7341D671EC608691

Uniqueness

Uniqueness Score: -1.00%

Function 0023DBA0 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 0023DC28

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 92cd71df370591198c6e93dc13d3476fd6e3fcbff568ddcd713d5aa2e6547135
Instruction ID: 1cd0e9011f472ba8c23b3bef3b12ee965c1f882ae840bef056a1442319643711
Opcode Fuzzy Hash: 92cd71df370591198c6e93dc13d3476fd6e3fcbff568ddcd713d5aa2e6547135
Instruction Fuzzy Hash: 301118B0814B44DFD360DF29D988707BFF8FB09714F504A1DE49A97A80D7B4A5088F91

Uniqueness

Uniqueness Score: -1.00%

Function 00287805 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00285594,?,0028A6F0,?,00000000,?,002816E3,00000000,00285594,00000004,?,00000000,?,0028538E), ref: 00287837

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 184fa4b88e2b3e4c23a1becfcbaaa1d041b252422f0d51d970930d1e28e2f3ee
Instruction ID: fa964f33af53921ee7f32827658ede5af7d7a98b7202b7422bbf354d60b5bd33
Opcode Fuzzy Hash: 184fa4b88e2b3e4c23a1becfcbaaa1d041b252422f0d51d970930d1e28e2f3ee
Instruction Fuzzy Hash: 9EE0E52D13B522A7DB203E65EC0CB5A364D8F013A0F354130ED18A64D0DBA0CD20E7E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0024B970 Relevance: 51.5, APIs: 9, Strings: 20, Instructions: 789COMMON

Download Yara Rule

APIs

EnumProcesses.PSAPI(00000000,00004000,00000000,DBCFA47E), ref: 0024BA22
GetTickCount64.KERNEL32 ref: 0024BA88

Part of subcall function 00258A1C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00258A28

Part of subcall function 00222E90: HeapAlloc.KERNEL32(?,00000000,?,?,?,002B2D8C,?,?,00222CBB,80070057), ref: 00222EBB

Strings

chrome.exe, xrefs: 0024BE75
dllhost.exe, xrefs: 0024BF56
ntdll, xrefs: 0024BD98
invalid unordered_map<K, T> key, xrefs: 0024C3F1
firefox.exe, xrefs: 0024BE3A
services.exe, xrefs: 0024BF0B
iexplore.exe, xrefs: 0024BE8E
tabtip, xrefs: 0024BF6F
googledrivefs.exe, xrefs: 0024BE5C
lsass.exe, xrefs: 0024BF24
csrss.exe, xrefs: 0024BED9
dwm.exe, xrefs: 0024BEA7
svchost.exe, xrefs: 0024BEF2
smss.exe, xrefs: 0024BEC0
FileDescription, xrefs: 0024BCAE, 0024BCC5
lsm.exe, xrefs: 0024BF3D
microsoftedge.exe, xrefs: 0024BE14
microsoftedgecp.exe, xrefs: 0024BE24
NtQueryInformationProcess, xrefs: 0024BD93
explorer.exe, xrefs: 0024BFE5

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AllocCount64EnumHeapProcessesTickstd::invalid_argument::invalid_argument
String ID: FileDescription$NtQueryInformationProcess$chrome.exe$csrss.exe$dllhost.exe$dwm.exe$explorer.exe$firefox.exe$googledrivefs.exe$iexplore.exe$invalid unordered_map<K, T> key$lsass.exe$lsm.exe$microsoftedge.exe$microsoftedgecp.exe$ntdll$services.exe$smss.exe$svchost.exe$tabtip
API String ID: 3824278755-1787672440
Opcode ID: 13d3878a6ff74088535331283c4598b68a2890d959ed5a18fe7fb32c619a72b2
Instruction ID: 3d2ca90ccf010f695c66512d3c466420c953963b746ed7bee97204577c8a89df
Opcode Fuzzy Hash: 13d3878a6ff74088535331283c4598b68a2890d959ed5a18fe7fb32c619a72b2
Instruction Fuzzy Hash: F862B070A10616DFDB19DF68C855BAEBBF4BF09300F148169E859EB281DB70EA54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024C640 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186filethreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(DBCFA47E), ref: 0024C679
GetWindowThreadProcessId.USER32(00000000,?), ref: 0024C691
GetWindowTextW.USER32(00000000,?,000000FF), ref: 0024C7C7
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 0024C7F0
__Xtime_get_ticks.LIBCPMT ref: 0024C81A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024C828
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,?,00002710,00000000), ref: 0024C85C

Strings

{ "fast":{ "fast_tutorial_benchmark_done":%lld } }, xrefs: 0024C835
__fasttest__, xrefs: 0024C7D3

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Window$FileForegroundMessagePostProcessTextThreadUnothrow_t@std@@@WriteXtime_get_ticks__ehfuncinfo$??2@
String ID: __fasttest__${ "fast":{ "fast_tutorial_benchmark_done":%lld } }
API String ID: 2467357488-3036676175
Opcode ID: e105e5d676c4015e8018734474a2717f20890de3dc92cc0f6056d930c7a81c14
Instruction ID: 1c7a3e0180c14ccbd54cfd5c4e55afffb483d3daab6ffade34bea45b679c407f
Opcode Fuzzy Hash: e105e5d676c4015e8018734474a2717f20890de3dc92cc0f6056d930c7a81c14
Instruction Fuzzy Hash: AE619771A501199FDB58DF68CC99BEAB7ECFB04310F1041AAF909DB291DB30DA558FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0023E880 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 301registrynetworkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionW.WININET(https://veryfast.io/,00000001,00000000), ref: 0023E8D0
InternetCheckConnectionW.WININET(https://veryfast.io/,00000001,00000000), ref: 0023E924
RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!,?), ref: 0023EB76
RegSetKeyValueW.ADVAPI32(?,002A7C38,SettingV1,00000001,?,?,?,002BA190,?,?), ref: 0023EBAC
CloseHandle.KERNEL32(?,?,002BA190,?,?), ref: 0023EBB5

Strings

https://veryfast.io/, xrefs: 0023E8CB, 0023E91F
SettingV1, xrefs: 0023EB9F
Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!, xrefs: 0023EB6C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CheckConnectionInternet$CloseCreateHandleValue
String ID: SettingV1$Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!$https://veryfast.io/
API String ID: 2665258096-2658951567
Opcode ID: 57bf7fff34766976e01639c4251063cd96c3f4687c7dd85941a4d753149a2022
Instruction ID: 3794af4f44e177f9438845d4ee6a6f43c5a2edc60278fcb27804cac8cb513da0
Opcode Fuzzy Hash: 57bf7fff34766976e01639c4251063cd96c3f4687c7dd85941a4d753149a2022
Instruction Fuzzy Hash: 2CC129B0D20204DBDB10DFA8DD46B9DB7B4BF15310F158265F919A72D2EB30AA68CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00240150 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(gdi32.dll,?,?,002402AE,?,00000005,00000006), ref: 0024015F
GetProcAddress.KERNEL32(00000000,GetDeviceGammaRamp), ref: 00240171
GetProcAddress.KERNEL32(?,SetDeviceGammaRamp), ref: 00240181
FreeLibrary.KERNEL32(00000000), ref: 0024019A

Strings

GetDeviceGammaRamp, xrefs: 0024016B
SetDeviceGammaRamp, xrefs: 00240177
gdi32.dll, xrefs: 0024015A

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetDeviceGammaRamp$SetDeviceGammaRamp$gdi32.dll
API String ID: 2256533930-872364236
Opcode ID: 2d15e7abeb32dd6e80f6365991e96227ee32998a7afcf9d27d302f66097744f6
Instruction ID: fc898fa86f69b8040eb4a4245c34d0f175b32fe5b7b231b96018e74fabc0b38b
Opcode Fuzzy Hash: 2d15e7abeb32dd6e80f6365991e96227ee32998a7afcf9d27d302f66097744f6
Instruction Fuzzy Hash: F5F037B1660303EFEB044FAAECC8401F7A9BB11311B20813AE65DD2211DB70C8B0CF20

Uniqueness

Uniqueness Score: -1.00%

Function 002437A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000079), ref: 002437B6
GetAsyncKeyState.USER32(00000012), ref: 002437C3
GetTickCount64.KERNEL32 ref: 002437FC
GetTickCount64.KERNEL32 ref: 00243853
GetTickCount64.KERNEL32 ref: 00243880

Strings

invalid unordered_map<K, T> key, xrefs: 002438A5

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Count64Tick$AsyncState
String ID: invalid unordered_map<K, T> key
API String ID: 381133608-353222475
Opcode ID: 5f77a63e92a666a51a19150f2323c34fe6053ffd64e3589db68d86a44c460dca
Instruction ID: 7b637eb7094f03e78f290d06791ac52c6345a461bb7831ecbdda566500810327
Opcode Fuzzy Hash: 5f77a63e92a666a51a19150f2323c34fe6053ffd64e3589db68d86a44c460dca
Instruction Fuzzy Hash: 5F31AFB25103059BC714DF54E88599BBBFCFF88310F40066EF94997201EB30EA588BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0028F7F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,0028FB03,00000002,00000000,?,?,?,0028FB03,?,00000000), ref: 0028F88A
GetLocaleInfoW.KERNEL32(00000000,20001004,0028FB03,00000002,00000000,?,?,?,0028FB03,?,00000000), ref: 0028F8B3
GetACP.KERNEL32(?,?,0028FB03,?,00000000), ref: 0028F8C8

Strings

OCP, xrefs: 0028F845
ACP, xrefs: 0028F80F

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 352845c93e4607266e3aae2a4cc10d72f5ab4afb40c4e749be4999b54ac6e06d
Instruction ID: 94e715e3ec7aa9ba60a95e753a3fe6b6831f0613c6c9fde20ba11914308f571a
Opcode Fuzzy Hash: 352845c93e4607266e3aae2a4cc10d72f5ab4afb40c4e749be4999b54ac6e06d
Instruction Fuzzy Hash: 2D21F53AB32102EBE7B4AF14CB00B9773A6EF51B50B568434E90ADB190E732DD61C360

Uniqueness

Uniqueness Score: -1.00%

Function 0028F9CD Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0028FAD5
IsValidCodePage.KERNEL32(00000000), ref: 0028FB13
IsValidLocale.KERNEL32(?,00000001), ref: 0028FB26
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0028FB6E
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0028FB89

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 20d2f363bb391adda8b5f7d2d401af3616b60e8c0bedb79bc7425de8873d25a0
Instruction ID: 2cf8cd0bd51e2ae4bdfb735732a30a152d366349424d3137268f87868c1e0368
Opcode Fuzzy Hash: 20d2f363bb391adda8b5f7d2d401af3616b60e8c0bedb79bc7425de8873d25a0
Instruction Fuzzy Hash: 54518075A22206AFEB54FFA4DD45ABE77B8AF08710F144079E905E71D1E770D920CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0028F058 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

GetACP.KERNEL32(?,?,?,?,?,?,00286078,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0028F117
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00286078,?,?,?,00000055,?,-00000050,?,?), ref: 0028F14E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0028F2B1

Strings

utf8, xrefs: 0028F220

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 1b9efea9ce1a5936b295f9ba3b1074b31dbd36db8d9659b3ca5b9223ba735f5b
Instruction ID: 47efd548fe5940153c2684c630ceb50a6a11269cfa058a9fe7d16aa6420974f6
Opcode Fuzzy Hash: 1b9efea9ce1a5936b295f9ba3b1074b31dbd36db8d9659b3ca5b9223ba735f5b
Instruction Fuzzy Hash: 0371E77D622203AADB64BF74CD46BAA73A8EF04710F15443AF915D71C5FAB0E8608B60

Uniqueness

Uniqueness Score: -1.00%

Function 00277353 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0027744B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00277455
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00277462

Strings

X)+, xrefs: 00277355

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: X)+
API String ID: 3906539128-1964294321
Opcode ID: fc04b59f6cba33d20953cba7b747b22696cc19f6dde4185c54f131c80ae9a2c1
Instruction ID: 67587683f95cc60f1b84d32048deadee8d7260d4ed3e1e1bcd4e56ba6cce8194
Opcode Fuzzy Hash: fc04b59f6cba33d20953cba7b747b22696cc19f6dde4185c54f131c80ae9a2c1
Instruction Fuzzy Hash: 0931C574911229DBCB21DF68DC8978DBBB8BF18310F5082EAE40CA7251E7709F958F44

Uniqueness

Uniqueness Score: -1.00%

Function 0027EBA0 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614a8e9e70a092ccbb65c13160fac04d3d2767d153c569743a3a6e6f7c129f24
Instruction ID: 41456ebd50f7488bcb839fe791999fb93d4d618b6616f998e488eb7488c7b4c1
Opcode Fuzzy Hash: 614a8e9e70a092ccbb65c13160fac04d3d2767d153c569743a3a6e6f7c129f24
Instruction Fuzzy Hash: C2025C71E1121A9BDF14CFA8C9807AEFBB5FF48314F2582A9E519E7381D731A911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00272E74 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00272E80
IsDebuggerPresent.KERNEL32 ref: 00272F4C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00272F6C
UnhandledExceptionFilter.KERNEL32(?), ref: 00272F76

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bc83b630e54ec52e3a40827f1ce9f9c97479a51556374ebfd6ff99c1949e4ff8
Instruction ID: 577d28e62558c85e75d03b9e4655f9bd362b8d2f6f748600f89f4adf32d966d1
Opcode Fuzzy Hash: bc83b630e54ec52e3a40827f1ce9f9c97479a51556374ebfd6ff99c1949e4ff8
Instruction Fuzzy Hash: 5531FB75D15319DBDB10EFA4D9497CDBBB8AF08304F1041EAE40DA7250EB715B948F45

Uniqueness

Uniqueness Score: -1.00%

Function 0028F475 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0028F4C9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0028F513
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0028F5D9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 0585cc0af18daba47bb8c553d74f971da986216470ce8e65935173ca2cd94d04
Instruction ID: 8beb283c63754eb0e986aadf8f8d0d0e18021ee6b91dd8f3afd71e2c837415a3
Opcode Fuzzy Hash: 0585cc0af18daba47bb8c553d74f971da986216470ce8e65935173ca2cd94d04
Instruction Fuzzy Hash: 4461B0759222179FDB68BF24CE82BAA73A8EF04300F204179E815C61D5F778D9A0CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00222D20 Relevance: 4.5, APIs: 3, Instructions: 48COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,00000001,00000000,?,?,00222DDC,00000000,?,00000000,00000000,002BA088), ref: 00222D2C
LockResource.KERNEL32(00000000,?,?,00222DDC,00000000,?,00000000,00000000,002BA088,?,?,?,?,0022230A), ref: 00222D37
SizeofResource.KERNEL32(00000000,00000000,?,?,00222DDC,00000000,?,00000000,00000000,002BA088,?,?,?,?,0022230A), ref: 00222D45

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 887f6f196f5ea5763e118a5d7e761f70484339e3be07d4392cfe73d7e10748cc
Instruction ID: fdd3de3abd9b258fb6e2ac7a93d4259cf190a30084aaab0ed3e05bef65c7a32b
Opcode Fuzzy Hash: 887f6f196f5ea5763e118a5d7e761f70484339e3be07d4392cfe73d7e10748cc
Instruction Fuzzy Hash: 29F0C832A10736F78B301EB9BC889B7B79CEEC1755711092BE94AD3110E566DC55C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0028A22B Relevance: 1.7, APIs: 1, Instructions: 156timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002877CB: RtlFreeHeap.NTDLL(00000000,00000000,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877E1
Part of subcall function 002877CB: GetLastError.KERNEL32(?,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877EC

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0028A3DE,00000000,00000000,00000000), ref: 0028A29D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 022a9ffdfdbbe5737b6eb14293a4812f8f575e1c52f5758c7c78964c75daebff
Instruction ID: 0449e2286383a4754d90273c219aeace98b683d43dec131635434c05af41f87a
Opcode Fuzzy Hash: 022a9ffdfdbbe5737b6eb14293a4812f8f575e1c52f5758c7c78964c75daebff
Instruction Fuzzy Hash: 1C410A75C22115ABDB10BF65EC059AE7B78AF05320B144266F504D75D1EB309EA0CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0028F6C8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0028F71C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 613037fe5ee953e27a7c41d9d74b5f7ca8a9d190b966848cf8f80e1989a0b4ab
Instruction ID: ddeb83f6f9c264417f6befcc03d4db112cbc2c9d587374f6aeb0c8751ef34a51
Opcode Fuzzy Hash: 613037fe5ee953e27a7c41d9d74b5f7ca8a9d190b966848cf8f80e1989a0b4ab
Instruction Fuzzy Hash: 1E21B836536206ABEB14BE14DD41A7B73A8EF04311F104079FD05C61C2EB74DD10CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0028F34F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

EnumSystemLocalesW.KERNEL32(0028F475,00000001,00000000,?,-00000050,?,0028FAA9,00000000,?,?,?,00000055,?), ref: 0028F3C1

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5553642bd79cd82801f44e99e7d98b7103cd1c07e20c5d1fcdb1b00554ee0ee1
Instruction ID: 30202333cbc0297e06965ff7c742b1bf397032eae13147e1b11ee3b09154b8f5
Opcode Fuzzy Hash: 5553642bd79cd82801f44e99e7d98b7103cd1c07e20c5d1fcdb1b00554ee0ee1
Instruction Fuzzy Hash: 52114C3F2113065FDB18AF39D99157AB791FF80368B14443DE98687A80D771B852CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0028F8F7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0028F691,00000000,00000000,?), ref: 0028F923

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 347b51d57420598c74dc5f886979015a9fe6a9264d2fb6f45e886df1237e4cde
Instruction ID: a478ac3b58b795f6e62736e8f1349b0e645c72f4eea486efbbc5a158bc6fc027
Opcode Fuzzy Hash: 347b51d57420598c74dc5f886979015a9fe6a9264d2fb6f45e886df1237e4cde
Instruction Fuzzy Hash: 5001263B621112BBDB286A2489057BB3768DF40754F254439EC06B31C1EA74FE51C790

Uniqueness

Uniqueness Score: -1.00%

Function 0028F3EA Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

EnumSystemLocalesW.KERNEL32(0028F6C8,00000001,00000000,?,-00000050,?,0028FA71,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0028F434

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4f45d0ec132deca36eeb8e95478d1ec219e5df9e6f9cb63ff4b2d87804904ea7
Instruction ID: 33eec6f96e3cc5074350087c00df8dc8810d5e590eb65083cdf048120a9370eb
Opcode Fuzzy Hash: 4f45d0ec132deca36eeb8e95478d1ec219e5df9e6f9cb63ff4b2d87804904ea7
Instruction Fuzzy Hash: 37F0463A2123041FDB246F35E881A7B7B90EF80368F14843EFA054B6E1D6B1AC12CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00288E2C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00282033: EnterCriticalSection.KERNEL32(-002B9838,?,002852C9,00223190,002B2958,0000000C,00285594,?), ref: 00282042

EnumSystemLocalesW.KERNEL32(00288E1F,00000001,002B2AF8,0000000C,00289294,00000000), ref: 00288E64

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 14eecd2ab3ad30266066e3a12e9a17bcb77fa49e215e6008a0b294171db101c9
Instruction ID: cbc5e54faeda4ff12dbca592f21b46ade5dc1c78814810ff91d93920167de317
Opcode Fuzzy Hash: 14eecd2ab3ad30266066e3a12e9a17bcb77fa49e215e6008a0b294171db101c9
Instruction Fuzzy Hash: 3FF03736A10201DFEB14EF98E846B9D77B0EB08721F10816BF5249B2E0CBB589508F80

Uniqueness

Uniqueness Score: -1.00%

Function 00271924 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,0026F64F,00000000,000000FF,00000004,0026E290,000000FF,00000004,0026E6A3,00000000,00000000), ref: 0027193D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 792daf602abd3dcd448848677d0d8a378971bbff9b2a8084df53d359befdeaf4
Instruction ID: 6feaeabfefe11283e4d4af0b9caf46b60532a4cecc61aa868644781f83206232
Opcode Fuzzy Hash: 792daf602abd3dcd448848677d0d8a378971bbff9b2a8084df53d359befdeaf4
Instruction Fuzzy Hash: 09E09B33674106F5D7059FBC592FB6A7698DB01706F108151F20AF50C1C5B4DA219661

Uniqueness

Uniqueness Score: -1.00%

Function 0028F304 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002874E0: GetLastError.KERNEL32(?,00000000,0027FE40,002B27F0,00000008,00000003,00277352,?,002772C1,00000004,?,002774D0), ref: 002874E4
Part of subcall function 002874E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,?,?,00000000,?,?,?,002852D6,002B2958,0000000C,00285594), ref: 00287586

EnumSystemLocalesW.KERNEL32(0028F25D,00000001,00000000,?,?,0028FACB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0028F33B

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d88eb15c049894f14b611bf72ed31ae87a644430301b4886345e781abf854b27
Instruction ID: 44c1c829db69a3eb331088ceea8030b76b7e3fecf899d4e39d0395fc52e2a872
Opcode Fuzzy Hash: d88eb15c049894f14b611bf72ed31ae87a644430301b4886345e781abf854b27
Instruction Fuzzy Hash: 15F0553E30020557CB04AF35E84566A7F90EFC2724B1640A9EA198B291C2319882C790

Uniqueness

Uniqueness Score: -1.00%

Function 002893EF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00286BEE,?,20001004,00000000,00000002,?,?,002861E0), ref: 00289423

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9ba455367a3f4c78546476a308bace7c938bde228e0ee207c97aff180c1106b4
Instruction ID: 5d9445f300e461f83f29a08432b373002cd2818b6f1bdceab186274168d9312f
Opcode Fuzzy Hash: 9ba455367a3f4c78546476a308bace7c938bde228e0ee207c97aff180c1106b4
Instruction Fuzzy Hash: 3BE04F39511118BBCF123F60EC08EAE3F56EF44750F188011FD05652A1CB718E71ABE4

Uniqueness

Uniqueness Score: -1.00%

Function 0024CC10 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 297libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,DBCFA47E,?,?,?,00000006,?,00298D0F,000000FF,?,0023DEBB,?,?,?,00000006), ref: 0024CC3C
GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 0024CC50
GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 0024CC58
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 0024CC60
GetProcAddress.KERNEL32(00000000,NtSetInformationProcess), ref: 0024CC6D
GetProcAddress.KERNEL32(00000000,NtSuspendProcess), ref: 0024CC7A
GetProcAddress.KERNEL32(00000000,NtResumeProcess), ref: 0024CC87

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

NtSuspendProcess failed., xrefs: 0024CE39, 0024CE53
NtSuspendProcess, xrefs: 0024CC6F
NtWow64ReadVirtualMemory64, xrefs: 0024CC4A
NtSetInformationProcess failed., xrefs: 0024CD8C, 0024CDA6
NtQueryInformationProcess failed., xrefs: 0024CCB5, 0024CCCF
NtSetInformationProcess, xrefs: 0024CC62
NtResumeProcess, xrefs: 0024CC7C
ntdll.dll, xrefs: 0024CC37
NtResumeProcess failed., xrefs: 0024CEE1, 0024CEFB
NtWow64QueryInformationProcess64, xrefs: 0024CC52
Error, xrefs: 0024CCFD, 0024CD14, 0024CDD4, 0024CDEB, 0024CE81, 0024CE98, 0024CF29, 0024CF40
NtQueryInformationProcess, xrefs: 0024CC5A

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AddressProc$FindHeapLibraryLoadProcessResource
String ID: Error$NtQueryInformationProcess$NtQueryInformationProcess failed.$NtResumeProcess$NtResumeProcess failed.$NtSetInformationProcess$NtSetInformationProcess failed.$NtSuspendProcess$NtSuspendProcess failed.$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
API String ID: 2967404671-1687995497
Opcode ID: 0ab743acbcf3d28f0974bc6d89e7a0457e72ccc7b3a98b856a3c8ad12a6ad21f
Instruction ID: 794ec84eb8b4625530cdf505a4c237717722dc05f5bfadfa19b4581c0aa66fb4
Opcode Fuzzy Hash: 0ab743acbcf3d28f0974bc6d89e7a0457e72ccc7b3a98b856a3c8ad12a6ad21f
Instruction Fuzzy Hash: 1EB1E830A21215EFEB04DFA8DD09BAEB7B0EF12710F104559E811A72D1EF759A28CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00266FAA Relevance: 28.9, APIs: 19, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00266FB1
ctype.LIBCPMT ref: 00266FF8

Part of subcall function 0026671E: __Getctype.LIBCPMT ref: 0026672D

Part of subcall function 00262405: __EH_prolog3.LIBCMT ref: 0026240C
Part of subcall function 00262405: std::_Lockit::_Lockit.LIBCPMT ref: 00262416
Part of subcall function 00262405: int.LIBCPMT ref: 0026242D

Part of subcall function 0026252F: __EH_prolog3.LIBCMT ref: 00262536
Part of subcall function 0026252F: std::_Lockit::_Lockit.LIBCPMT ref: 00262540
Part of subcall function 0026252F: int.LIBCPMT ref: 00262557

Part of subcall function 002626EE: __EH_prolog3.LIBCMT ref: 002626F5
Part of subcall function 002626EE: std::_Lockit::_Lockit.LIBCPMT ref: 002626FF
Part of subcall function 002626EE: int.LIBCPMT ref: 00262716
Part of subcall function 002626EE: std::_Lockit::~_Lockit.LIBCPMT ref: 00262770

Part of subcall function 00262659: __EH_prolog3.LIBCMT ref: 00262660
Part of subcall function 00262659: std::_Lockit::_Lockit.LIBCPMT ref: 0026266A
Part of subcall function 00262659: int.LIBCPMT ref: 00262681

Part of subcall function 0025C6CD: __EH_prolog3.LIBCMT ref: 0025C6D4
Part of subcall function 0025C6CD: std::_Lockit::_Lockit.LIBCPMT ref: 0025C6DE
Part of subcall function 0025C6CD: std::_Lockit::~_Lockit.LIBCPMT ref: 0025C785

int.LIBCPMT ref: 002671AE
int.LIBCPMT ref: 00267208
int.LIBCPMT ref: 0026724B
int.LIBCPMT ref: 0026728E
int.LIBCPMT ref: 002672FA
int.LIBCPMT ref: 0026737F
numpunct.LIBCPMT ref: 002673A6

Part of subcall function 00262FB4: __EH_prolog3.LIBCMT ref: 00262FBB

Part of subcall function 00262C2B: __EH_prolog3.LIBCMT ref: 00262C32
Part of subcall function 00262C2B: std::_Lockit::_Lockit.LIBCPMT ref: 00262C3C
Part of subcall function 00262C2B: int.LIBCPMT ref: 00262C53
Part of subcall function 00262C2B: std::_Lockit::~_Lockit.LIBCPMT ref: 00262CAD

Part of subcall function 00262D55: __EH_prolog3.LIBCMT ref: 00262D5C
Part of subcall function 00262D55: std::_Lockit::_Lockit.LIBCPMT ref: 00262D66
Part of subcall function 00262D55: int.LIBCPMT ref: 00262D7D
Part of subcall function 00262D55: std::_Lockit::~_Lockit.LIBCPMT ref: 00262DD7

Part of subcall function 0025C6CD: Concurrency::cancel_current_task.LIBCPMT ref: 0025C790
Part of subcall function 0025C6CD: __EH_prolog3.LIBCMT ref: 0025C79D

Part of subcall function 00261FF2: __EH_prolog3.LIBCMT ref: 00261FF9
Part of subcall function 00261FF2: std::_Lockit::_Lockit.LIBCPMT ref: 00262003
Part of subcall function 00261FF2: int.LIBCPMT ref: 0026201A
Part of subcall function 00261FF2: std::_Lockit::~_Lockit.LIBCPMT ref: 00262074

int.LIBCPMT ref: 002673CF
int.LIBCPMT ref: 00266FCD

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

int.LIBCPMT ref: 00267037
int.LIBCPMT ref: 0026707D
int.LIBCPMT ref: 002670C0
collate.LIBCPMT ref: 0026712C
int.LIBCPMT ref: 00267146
__Getcoll.LIBCPMT ref: 0026716C
int.LIBCPMT ref: 00267437
codecvt.LIBCPMT ref: 00267457

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtcollatectypenumpunct
String ID:
API String ID: 3571528127-0
Opcode ID: e21095f37f79c98d17d749727bd107571d38474b632cbc2ebc93e8e8bfa478fe
Instruction ID: dfd9733850297bea19091abd7878d01cfdd691f9404b6ea65f48debdab3db506
Opcode Fuzzy Hash: e21095f37f79c98d17d749727bd107571d38474b632cbc2ebc93e8e8bfa478fe
Instruction Fuzzy Hash: 47E1347183431AEFDB11AF649C126BF7AA4EF41354F24806DFD186B391EA708DB49B90

Uniqueness

Uniqueness Score: -1.00%

Function 00267486 Relevance: 27.4, APIs: 18, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026748D
int.LIBCPMT ref: 0026768A
int.LIBCPMT ref: 002676E4
int.LIBCPMT ref: 00267727
int.LIBCPMT ref: 0026776A
int.LIBCPMT ref: 002677D6
int.LIBCPMT ref: 0026785B

Part of subcall function 00256D50: __Getctype.LIBCPMT ref: 00256D5D

Part of subcall function 0026249A: __EH_prolog3.LIBCMT ref: 002624A1
Part of subcall function 0026249A: std::_Lockit::_Lockit.LIBCPMT ref: 002624AB
Part of subcall function 0026249A: int.LIBCPMT ref: 002624C2

Part of subcall function 002625C4: __EH_prolog3.LIBCMT ref: 002625CB
Part of subcall function 002625C4: std::_Lockit::_Lockit.LIBCPMT ref: 002625D5
Part of subcall function 002625C4: int.LIBCPMT ref: 002625EC

Part of subcall function 00262818: __EH_prolog3.LIBCMT ref: 0026281F
Part of subcall function 00262818: std::_Lockit::_Lockit.LIBCPMT ref: 00262829
Part of subcall function 00262818: int.LIBCPMT ref: 00262840
Part of subcall function 00262818: std::_Lockit::~_Lockit.LIBCPMT ref: 0026289A

Part of subcall function 00262783: __EH_prolog3.LIBCMT ref: 0026278A
Part of subcall function 00262783: std::_Lockit::_Lockit.LIBCPMT ref: 00262794
Part of subcall function 00262783: int.LIBCPMT ref: 002627AB
Part of subcall function 00262783: std::_Lockit::~_Lockit.LIBCPMT ref: 00262805

Part of subcall function 0025C6CD: __EH_prolog3.LIBCMT ref: 0025C6D4
Part of subcall function 0025C6CD: std::_Lockit::_Lockit.LIBCPMT ref: 0025C6DE
Part of subcall function 0025C6CD: std::_Lockit::~_Lockit.LIBCPMT ref: 0025C785

numpunct.LIBCPMT ref: 00267882

Part of subcall function 00262FE7: __EH_prolog3.LIBCMT ref: 00262FEE

Part of subcall function 00262CC0: __EH_prolog3.LIBCMT ref: 00262CC7
Part of subcall function 00262CC0: std::_Lockit::_Lockit.LIBCPMT ref: 00262CD1
Part of subcall function 00262CC0: int.LIBCPMT ref: 00262CE8
Part of subcall function 00262CC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00262D42

Part of subcall function 00262DEA: __EH_prolog3.LIBCMT ref: 00262DF1
Part of subcall function 00262DEA: std::_Lockit::_Lockit.LIBCPMT ref: 00262DFB
Part of subcall function 00262DEA: int.LIBCPMT ref: 00262E12
Part of subcall function 00262DEA: std::_Lockit::~_Lockit.LIBCPMT ref: 00262E6C

Part of subcall function 0025C6CD: Concurrency::cancel_current_task.LIBCPMT ref: 0025C790
Part of subcall function 0025C6CD: __EH_prolog3.LIBCMT ref: 0025C79D

Part of subcall function 00262087: __EH_prolog3.LIBCMT ref: 0026208E
Part of subcall function 00262087: std::_Lockit::_Lockit.LIBCPMT ref: 00262098
Part of subcall function 00262087: int.LIBCPMT ref: 002620AF
Part of subcall function 00262087: std::_Lockit::~_Lockit.LIBCPMT ref: 00262109

int.LIBCPMT ref: 002678AB
int.LIBCPMT ref: 002674A9

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

int.LIBCPMT ref: 00267513
int.LIBCPMT ref: 00267559
int.LIBCPMT ref: 0026759C
collate.LIBCPMT ref: 00267608
int.LIBCPMT ref: 00267622
__Getcoll.LIBCPMT ref: 00267648
int.LIBCPMT ref: 00267913
codecvt.LIBCPMT ref: 00267933

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtcollatenumpunct
String ID:
API String ID: 989176096-0
Opcode ID: c3c6e56ba3aff7b3c2408c2020da0526feac5bd9b623607f1dc006e810da334d
Instruction ID: 315a9cd676bcd21ed1e653179bad842296846b8b46037230d8171fce84393093
Opcode Fuzzy Hash: c3c6e56ba3aff7b3c2408c2020da0526feac5bd9b623607f1dc006e810da334d
Instruction Fuzzy Hash: D7E1F271834316EFDB11AF64DC066AE7AA8EF40354F20806DFD5867291EB708DB49F91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C2D0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 451timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,WinHTTP 1.0), ref: 0023C34F
WinHttpConnect.WINHTTP(00000000,?,000001BB,00000000), ref: 0023C37E
GetTickCount64.KERNEL32 ref: 0023C3C1
WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,00800000), ref: 0023C405
WinHttpSetTimeouts.WINHTTP(00000000,00002710,00002710,00002710,00002710), ref: 0023C42D
WinHttpCloseHandle.WINHTTP(00000000), ref: 0023C442
WinHttpCloseHandle.WINHTTP(?), ref: 0023C447
WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023C510
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 0023C54A
WinHttpQueryDataAvailable.WINHTTP(?,?), ref: 0023C569
WinHttpReadData.WINHTTP(?,00000010,00000000,00000000), ref: 0023C5D9

Strings

GET, xrefs: 0023C3FD
WinHTTP 1.0, xrefs: 0023C315, 0023C32F

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Http$CloseDataHandleOpenRequest$AvailableConnectCount64FindHeapProcessQueryReadReceiveResourceResponseSendTickTimeouts
String ID: GET$WinHTTP 1.0
API String ID: 369866759-1397384856
Opcode ID: b9a3135ad950937381c2b5de6199525b1ddd927c6d246766b174267dd7de2866
Instruction ID: 9b4ce93c3fc7b40ddee9d30093a2137a1e725d183010f3bd62d36a9372b924ad
Opcode Fuzzy Hash: b9a3135ad950937381c2b5de6199525b1ddd927c6d246766b174267dd7de2866
Instruction Fuzzy Hash: 22026EB1A11606EFDB10DFA8C888B9DBBF4EF05324F248169E815AB291DB75ED14CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0023BDA0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 433COMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,10000000,WinHTTP 1.0), ref: 0023BE1F
WinHttpConnect.WINHTTP(00000000,000001BB,00000000), ref: 0023BE42
WinHttpOpenRequest.WINHTTP(00000000,GET,?,00000000,00000000,00000000,00800000), ref: 0023BEA3
WinHttpSetStatusCallback.WINHTTP(00000000,0023C2C0,00240000,00000000), ref: 0023BEC3
WinHttpCloseHandle.WINHTTP(00000000), ref: 0023BED9
WinHttpCloseHandle.WINHTTP(?), ref: 0023BEDE

Strings

%ws?%ws, xrefs: 0023BE80
GET, xrefs: 0023BE9D
WinHTTP 1.0, xrefs: 0023BDE2, 0023BDFC

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Http$CloseHandleOpen$CallbackConnectFindHeapProcessRequestResourceStatus
String ID: %ws?%ws$GET$WinHTTP 1.0
API String ID: 2977288223-4027742023
Opcode ID: 12b9073af0fb2186cbee61de1beb581dcb85373c1e57638c69eb56255487442a
Instruction ID: f5c9e8a15e48513b9b4d949550507171737b134631ed08a84e7fe98ec657c99f
Opcode Fuzzy Hash: 12b9073af0fb2186cbee61de1beb581dcb85373c1e57638c69eb56255487442a
Instruction Fuzzy Hash: 66F18D70A11606EFDB14DFA8C888B5EBBF4EF05324F248269E815AB291DB75ED14CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00246FD0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 465fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,A0000000,00000000,BigTestFile), ref: 00247062
GetLastError.KERNEL32 ref: 0024706B
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,A0000000,00000000), ref: 00247089
WriteFile.KERNEL32(00000000,00000000,00000400,?,00000000), ref: 002470C4
CloseHandle.KERNEL32(00000000), ref: 002470EA
GetCurrentDirectoryW.KERNEL32(00000400,00000000), ref: 00247106
GetLastError.KERNEL32 ref: 00247190
CopyFileW.KERNEL32(?,?,00000001,?,?,?,002A74E8), ref: 00247373
GetLastError.KERNEL32(?,?,?,002A74E8), ref: 0024737D
DeleteFileW.KERNEL32(?,00000000,?,?,?,?,002A74E8), ref: 002473E0
DeleteFileW.KERNEL32(?,00000000,?,?,?,?,?,002A74E8), ref: 002474A4

Strings

BigTestFile, xrefs: 00247018, 00247032

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: File$ErrorLast$CreateDelete$CloseCopyCurrentDirectoryFindHandleHeapProcessResourceWrite
String ID: BigTestFile
API String ID: 3416412756-1958490937
Opcode ID: 63be9a569eba5b35b9a1096c26d89f647314685e7995e05b9979c5d7c1bb75cb
Instruction ID: 02fa8427e49b53be6bc7a8bdb2e9b04afa7ed78550d2858d1caf1aa191af0d58
Opcode Fuzzy Hash: 63be9a569eba5b35b9a1096c26d89f647314685e7995e05b9979c5d7c1bb75cb
Instruction Fuzzy Hash: 6B02C130A10609DBDB14DFA8CC55BADF7B4FF05310F1482A9E819AB292EB709E55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0024D5B0 Relevance: 19.7, APIs: 5, Strings: 6, Instructions: 452COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,DBCFA47E,00000000,7622F550), ref: 0024D5FC
GetPriorityClass.KERNEL32(00000000), ref: 0024D610
GetLastError.KERNEL32(Error), ref: 0024D6AF
CloseHandle.KERNEL32(?), ref: 0024D707
GetProcessPriorityBoost.KERNEL32(00000000,?), ref: 0024D76A

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

NtQueryInformationProcess( IoPriority ) failed., xrefs: 0024D94D, 0024D967
NtQueryInformationProcess( PowerThrottling ) failed., xrefs: 0024D8AA, 0024D8C4
GetProcessPriorityBoost failed., xrefs: 0024D794, 0024D7AE
Error, xrefs: 0024D687, 0024D69E, 0024D7DE, 0024D7F5, 0024D8F4, 0024D90B, 0024D997, 0024D9AE, 0024DA3C, 0024DA53
NtQueryInformationProcess( MemoryPriority ) failed., xrefs: 0024D9F2, 0024DA0C
GetPriorityClass failed., xrefs: 0024D63D, 0024D657

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Process$Priority$BoostClassCloseErrorFindHandleHeapLastOpenResource
String ID: Error$GetPriorityClass failed.$GetProcessPriorityBoost failed.$NtQueryInformationProcess( IoPriority ) failed.$NtQueryInformationProcess( MemoryPriority ) failed.$NtQueryInformationProcess( PowerThrottling ) failed.
API String ID: 138614695-1358533881
Opcode ID: ac086ce95622b68a0d0985ad202761d9f8b137351c2ae35370f2d52e932dac65
Instruction ID: 912979fa2bb3b1ccf193f2748c3b9c4b68a3474f06f9523a06118d3e2f137511
Opcode Fuzzy Hash: ac086ce95622b68a0d0985ad202761d9f8b137351c2ae35370f2d52e932dac65
Instruction Fuzzy Hash: 25F19D30920209EBEB14DFE8D955BEDB7B0EF15314F148258E901BB291EB71AE59CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0023C830 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 238timeCOMMON

Download Yara Rule

APIs

WinHttpConnect.WINHTTP(?,C08504C4,000001BB,00000000,DBCFA47E,000003E8,?,?,?,0023BB34,?), ref: 0023C882
GetTickCount64.KERNEL32 ref: 0023C8C3
WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,00800000), ref: 0023C904
WinHttpSetTimeouts.WINHTTP(00000000,00002710,00002710,00002710,00002710), ref: 0023C925
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34,?), ref: 0023C936
WinHttpCloseHandle.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34,?), ref: 0023C93B
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023C9A8
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34), ref: 0023C9B7
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34), ref: 0023C9C0
WinHttpCloseHandle.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34), ref: 0023C9C5

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Strings

GET, xrefs: 0023C8FC

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Http$CloseHandle$Request$ConnectCount64HeapOpenProcessReceiveResponseSendTickTimeouts
String ID: GET
API String ID: 3667219687-1805413626
Opcode ID: 062d96b3570a54901f86f787d8ce94a2601c4e95d773c578af178210c94b3290
Instruction ID: fba2ada1e4871ddf59db75c3577583938e686d24df7e0ec74125f4103669d0d8
Opcode Fuzzy Hash: 062d96b3570a54901f86f787d8ce94a2601c4e95d773c578af178210c94b3290
Instruction Fuzzy Hash: 3A71A471610606AFDB10DF68DC89F6ABBB5FF44720F258569E914EB291D731EC10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0026F683 Relevance: 18.3, APIs: 12, Instructions: 277COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026F68A
collate.LIBCPMT ref: 0026F696

Part of subcall function 0026E36E: __EH_prolog3_GS.LIBCMT ref: 0026E375
Part of subcall function 0026E36E: __Getcoll.LIBCPMT ref: 0026E3D9

__Getcoll.LIBCPMT ref: 0026F6D9

Part of subcall function 0026E1D2: __EH_prolog3.LIBCMT ref: 0026E1D9
Part of subcall function 0026E1D2: std::_Lockit::_Lockit.LIBCPMT ref: 0026E1E3
Part of subcall function 0026E1D2: int.LIBCPMT ref: 0026E1FA
Part of subcall function 0026E1D2: std::_Lockit::~_Lockit.LIBCPMT ref: 0026E254

Part of subcall function 0025C6CD: __EH_prolog3.LIBCMT ref: 0025C6D4
Part of subcall function 0025C6CD: std::_Lockit::_Lockit.LIBCPMT ref: 0025C6DE
Part of subcall function 0025C6CD: std::_Lockit::~_Lockit.LIBCPMT ref: 0025C785

int.LIBCPMT ref: 0026F6B3

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

int.LIBCPMT ref: 0026F717
int.LIBCPMT ref: 0026F76D
int.LIBCPMT ref: 0026F7B2
int.LIBCPMT ref: 0026F7F5
int.LIBCPMT ref: 0026F861
int.LIBCPMT ref: 0026F8E2
numpunct.LIBCPMT ref: 0026F909
int.LIBCPMT ref: 0026F931

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$H_prolog3_collatenumpunct
String ID:
API String ID: 613342304-0
Opcode ID: 728839fa42b8415ecc77b300cd827e4512bf7239f43da16165627a7b9a4d19ad
Instruction ID: 1fbc43e7c1fd1e82419ad9ed64e89197ef88e54ba9a9cb97400e905dd63902dc
Opcode Fuzzy Hash: 728839fa42b8415ecc77b300cd827e4512bf7239f43da16165627a7b9a4d19ad
Instruction Fuzzy Hash: 97914C72C30315AEDF51AF74990667FB6E8DF80350F208469FD1967281EB708EB48BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002584D0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 271registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000101,00000000,DBCFA47E,?,00000000), ref: 00258605
RegQueryValueExW.ADVAPI32(00000000,MachineGuid,00000000,?,00000000,00000000,?,00000000), ref: 0025862F
RegQueryValueExW.ADVAPI32(00000000,MachineGuid,00000000,00000000,00000000,00000000), ref: 0025866A

Part of subcall function 00222E90: HeapAlloc.KERNEL32(?,00000000,?,?,?,002B2D8C,?,?,00222CBB,80070057), ref: 00222EBB

Strings

03000200-0400-0500-0006-000700080009, xrefs: 002584FF
SOFTWARE\Microsoft\Cryptography, xrefs: 002585FB
MachineGuid, xrefs: 00258627, 00258662
%wsX, xrefs: 00258722
12345678-1234-5678-90AB-CDDEEFAABBCC, xrefs: 00258539
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF, xrefs: 002585A5
00000000-0000-0000-0000-000000000000, xrefs: 0025856F

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: QueryValue$AllocHeapOpen
String ID: %wsX$00000000-0000-0000-0000-000000000000$03000200-0400-0500-0006-000700080009$12345678-1234-5678-90AB-CDDEEFAABBCC$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1471642767-2974506590
Opcode ID: 1c3e46d88e6e0826c602068810202cd3d6baf1c4df9029e2bda4c20360237475
Instruction ID: f1faa8f4cee6ccc815adcacd26e38e65ea01c22cae4919f88336d9e5807af465
Opcode Fuzzy Hash: 1c3e46d88e6e0826c602068810202cd3d6baf1c4df9029e2bda4c20360237475
Instruction Fuzzy Hash: 8991E271A201029BEB149F64CC01BBBB3A5EF24751F55456ADC02F7281FFB2E928CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00240320 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 269registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(?,?,?), ref: 00240356
CloseHandle.KERNEL32(?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 00240363
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002403A9
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002403E3
CloseHandle.KERNEL32(?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002403F0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002405C7

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

CloseHandle.KERNEL32(?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002404AF
CloseHandle.KERNEL32(?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 00240537
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00253E56,?,DisplayVersion,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!), ref: 002405D5

Strings

V>%, xrefs: 002405B3, 002405CD, 00240516, 00240468

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CloseHandle$QueryValue$CreateHeapProcess
String ID: V>%
API String ID: 473442574-2645640234
Opcode ID: 4a87b166183ebb723ef9634d6c104876917ddc1fd68aec615fe6edaaacb07267
Instruction ID: 6bb09de5406ea66fdd0ef53ca90131bbb334da1e70e6746a8333b4908688459a
Opcode Fuzzy Hash: 4a87b166183ebb723ef9634d6c104876917ddc1fd68aec615fe6edaaacb07267
Instruction Fuzzy Hash: EFA1A071D10116EFDB19DFA4DC85AAFBBB8FF44310F144429EA06A7250DB31A964CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024FAC0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 269fileCOMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32(00000000,System), ref: 0024FB40
GetNumberOfEventLogRecords.ADVAPI32(00000000,00000000), ref: 0024FB50

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

ReadEventLogW.ADVAPI32(00000000,00000005,00000000,00000000,0001FFFE,00000000,00000000), ref: 0024FB87
CloseEventLog.ADVAPI32(00000000), ref: 0024FC03
WriteFile.KERNEL32(00000000,?,00000101,?,00000000,"":-1 } } },0000000D,{ "fast":{ "eventsDaily":{ ,0000001C), ref: 0024FCEC

Part of subcall function 00222E90: HeapAlloc.KERNEL32(?,00000000,?,?,?,002B2D8C,?,?,00222CBB,80070057), ref: 00222EBB

Strings

System, xrefs: 0024FB39
"":-1 } } }, xrefs: 0024FCC7
{ "fast":{ "eventsDaily":{ , xrefs: 0024FC43
"%s":%d,, xrefs: 0024FC69
%0.2d/%0.2d/%0.2d, xrefs: 0024FBD2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Event$Heap$AllocCloseFileNumberOpenProcessReadRecordsWrite
String ID: "":-1 } } }$"%s":%d,$%0.2d/%0.2d/%0.2d$System${ "fast":{ "eventsDaily":{
API String ID: 1664757657-334134642
Opcode ID: 59f70cc474eaac82043b5e40169ec9f3a6c158d25c945a703b4745982c588530
Instruction ID: ae581fd29f0e688954d6f12a746ddb471d478a53bdc2ea2ed00f9e460f143218
Opcode Fuzzy Hash: 59f70cc474eaac82043b5e40169ec9f3a6c158d25c945a703b4745982c588530
Instruction Fuzzy Hash: 0CA1C071910209EFDB14DFA8CD49FAEBBF5EF45310F058169E805AB2A2D770A914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0024D000 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0024D069
GlobalAlloc.KERNEL32(00000040,00000000), ref: 0024D11F
GetFileVersionInfoW.VERSION(?,00000000,?,00000000), ref: 0024D13B
VerQueryValueW.VERSION(00000000,002A74E8,?,?), ref: 0024D155
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 0024D16F
wsprintfW.USER32 ref: 0024D19B
VerQueryValueW.VERSION(00000000,?,?,?), ref: 0024D1BA
GlobalFree.KERNEL32(00000000), ref: 0024D1FA

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 0024D195
\VarFileInfo\Translation, xrefs: 0024D169

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: QueryValue$FileGlobalInfoVersion$AllocFindFreeHeapProcessResourceSizewsprintf
String ID: \StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 1703689555-2466519063
Opcode ID: 5c78fb69da283bb9f86b5c19b2d2c29c4d2792b0d0bb3ffd98f09d81ad0cb04b
Instruction ID: 49b7dfac321ac1ff151503fc50fa4b51f75e2288a5dbac6cd429c7a776f054fd
Opcode Fuzzy Hash: 5c78fb69da283bb9f86b5c19b2d2c29c4d2792b0d0bb3ffd98f09d81ad0cb04b
Instruction Fuzzy Hash: 8D81C231600219EBDB15DF68CC49BAAB7B8FF45720F148299E919DB291DB30DE15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00257B20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 197windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32(?), ref: 00257BE1
CreateWindowExW.USER32(08000000,?,00000000,80000000,000000FF,00000001,000000FF,00000001,00000000,00000000,?,00000000), ref: 00257C08
ShowWindow.USER32(00000000,00000000), ref: 00257C33
UpdateWindow.USER32(00000000), ref: 00257C3A
PeekMessageW.USER32(?,?,00000000,00000000,00000001), ref: 00257C7C
TranslateMessage.USER32(?), ref: 00257C8A
DispatchMessageW.USER32(?), ref: 00257C94

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

PostMessageW.USER32(?,00000402,?,?), ref: 00257D17
DefWindowProcW.USER32(?,?,?,?), ref: 00257D23

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

SYSTEM_EVT_HANDLER, xrefs: 00257B87, 00257B9D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: MessageWindow$ClassCreateDispatchFindHeapPeekPostProcProcessRegisterResourceShowTranslateUpdate
String ID: SYSTEM_EVT_HANDLER
API String ID: 2996767847-656511211
Opcode ID: 52debe6a645992b5a528b6e6f156fc08566614c2577e1a6d383d9f42e12156a5
Instruction ID: 9716f18405a3d7d9a62619fbdbf56c28e2f89e1d76225a568cbe7ab92423a94f
Opcode Fuzzy Hash: 52debe6a645992b5a528b6e6f156fc08566614c2577e1a6d383d9f42e12156a5
Instruction Fuzzy Hash: CD51E472D54609AFDB10DFA8EC45B9EB7B8EF45721F20421AFD20A72D0DB70AD148B94

Uniqueness

Uniqueness Score: -1.00%

Function 00271E90 Relevance: 15.2, APIs: 10, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0024F377,0024F379,00000000,00000000,DBCFA47E,?,00000000,?,00275C20,002B2618,000000FE,?,0024F377,?), ref: 00271F19
__alloca_probe_16.LIBCMT ref: 00271F3E
MultiByteToWideChar.KERNEL32(00000000,00000000,0024F377,?,00000000,00000000,?,00275C20,002B2618,000000FE,?,0024F377), ref: 00271F94
SysAllocString.OLEAUT32(00000000), ref: 00271F9F
_com_issue_error.COMSUPP ref: 00271FC8
_com_issue_error.COMSUPP ref: 00271FD2
GetLastError.KERNEL32(80070057,DBCFA47E,?,00000000,?,00275C20,002B2618,000000FE,?,0024F377,?), ref: 00271FD7
_com_issue_error.COMSUPP ref: 00271FEA
GetLastError.KERNEL32(00000000,?,00275C20,002B2618,000000FE,?,0024F377,?), ref: 00272000
_com_issue_error.COMSUPP ref: 00272013

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString__alloca_probe_16
String ID:
API String ID: 3079088546-0
Opcode ID: 4cd23fa3b96c0a44a16a08efc0a6376d231913632cdd9f37a5f83a25a06ef541
Instruction ID: 3bd803f048a101532c1cc54c125c2d6369b6d38294a66376791638f291ecd059
Opcode Fuzzy Hash: 4cd23fa3b96c0a44a16a08efc0a6376d231913632cdd9f37a5f83a25a06ef541
Instruction Fuzzy Hash: 6341F971A10316DBDB109F68DC45BAEBBA9EF45750F20C22AF90DE7681D7349830CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00242C00 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 425threadCOMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

GetWindowTextLengthW.USER32(00000000), ref: 00242CA8
GetWindowTextW.USER32(00000000,00000010,?), ref: 00242D01
EnumWindows.USER32(002430A0,?), ref: 00242DD5
GetWindowTextLengthW.USER32(00000000), ref: 00242E28
GetWindowTextW.USER32(00000000,00000010,?), ref: 00242E81
GetWindowThreadProcessId.USER32(?,00000000), ref: 002430AD

Strings

Control Panel, xrefs: 00242F1B
File Explorer, xrefs: 00242F51

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Window$Text$LengthProcess$EnumHeapThreadWindows
String ID: Control Panel$File Explorer
API String ID: 2115262820-3162655578
Opcode ID: 27a7c2603ea2a8a76c56dec2fecf276c2a05d982926906daeb4135e126b56672
Instruction ID: 63f303acc4cf5609765fbcdf4d0362a66473c8b134ee7e2f736892782cbf86b2
Opcode Fuzzy Hash: 27a7c2603ea2a8a76c56dec2fecf276c2a05d982926906daeb4135e126b56672
Instruction Fuzzy Hash: 35F1C330920206DFDB18DF69C844BAEB7B4FF14314F558659F811AB291DB72EA19CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0026A1F3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026A1FA

Part of subcall function 00262246: __EH_prolog3.LIBCMT ref: 0026224D
Part of subcall function 00262246: std::_Lockit::_Lockit.LIBCPMT ref: 00262257
Part of subcall function 00262246: int.LIBCPMT ref: 0026226E

Strings

%m / %d / %y, xrefs: 0026A2F6
%b %d %H : %M : %S %Y, xrefs: 0026A4B2
%H : %M : %S, xrefs: 0026A3B6
%H : %M, xrefs: 0026A33F
%I : %M : %S %p, xrefs: 0026A584
:AM:am:PM:pm, xrefs: 0026A58F
%d / %m / %y, xrefs: 0026A55D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3$LockitLockit::_std::_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 2181796688-2891247106
Opcode ID: 8d5d48a31978c61291b3833a8618e0118887e9814a8494b5380ecfa9a1b65b9f
Instruction ID: e6f7bd3b40e39d6f956b7036de75adb95c3efb7d385b91cf7187cdec1e01c5a3
Opcode Fuzzy Hash: 8d5d48a31978c61291b3833a8618e0118887e9814a8494b5380ecfa9a1b65b9f
Instruction Fuzzy Hash: 89C171B692010AABCF18DF68CD65DFE7BA9FB05300F054119FA03B6251D671DAA0CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00270206 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027020D

Part of subcall function 0025B91D: __EH_prolog3.LIBCMT ref: 0025B924
Part of subcall function 0025B91D: std::_Lockit::_Lockit.LIBCPMT ref: 0025B92E
Part of subcall function 0025B91D: int.LIBCPMT ref: 0025B945
Part of subcall function 0025B91D: std::_Lockit::~_Lockit.LIBCPMT ref: 0025B99F

Strings

%m / %d / %y, xrefs: 00270309
%b %d %H : %M : %S %Y, xrefs: 002704C5
%H : %M : %S, xrefs: 002703C9
%H : %M, xrefs: 00270352
%I : %M : %S %p, xrefs: 00270597
:AM:am:PM:pm, xrefs: 002705A2
%d / %m / %y, xrefs: 00270570

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: ca24b49ca602aab37fc3c494b3b4e4fd0ff95c06aba8aa8437c0b4eb4dfbea31
Instruction ID: 8252275693a5f3239dd98179b88f5484b5253ec4a702535c15931034f342ab77
Opcode Fuzzy Hash: ca24b49ca602aab37fc3c494b3b4e4fd0ff95c06aba8aa8437c0b4eb4dfbea31
Instruction Fuzzy Hash: F0C1717252010AEFDB18DE58C9A5DFF3BA9FB09304F148519FA0AE6251D630DA68CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0026A5E3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026A5EA

Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 0025606D
Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 00256090
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 002560B0
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 0025613D

Strings

%m / %d / %y, xrefs: 0026A6E6
%b %d %H : %M : %S %Y, xrefs: 0026A8A2
%H : %M : %S, xrefs: 0026A7A6
%H : %M, xrefs: 0026A72F
%I : %M : %S %p, xrefs: 0026A974
:AM:am:PM:pm, xrefs: 0026A97F
%d / %m / %y, xrefs: 0026A94D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 0ec71cc2955050373d974f1b775668240247d83f3e466a61d0360312bfdf6b8c
Instruction ID: 38f50740341c785f88e123352d558ec46e6b8f6d86efe5e67b1a149aab801b5e
Opcode Fuzzy Hash: 0ec71cc2955050373d974f1b775668240247d83f3e466a61d0360312bfdf6b8c
Instruction Fuzzy Hash: 82C18E7252010AAFCF19DF68C995DFE7BB8AB09300F15411AFA06F3255D630DAA0DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00276188 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 002762A7
___TypeMatch.LIBVCRUNTIME ref: 002763B5
_UnwindNestedFrames.LIBCMT ref: 00276507
CallUnexpected.LIBVCRUNTIME ref: 00276522

Strings

4), xrefs: 0027629E
csm, xrefs: 002762DE
csm, xrefs: 00276232
csm, xrefs: 002761C5

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: 4)$csm$csm$csm
API String ID: 2751267872-3815687353
Opcode ID: 095302a68ce88067954d3318e8f1ed2e323ed0549d5e6bfc1c6ee0e1d522d0fc
Instruction ID: a75b35cc234a2ac5c9b7d311e557db23872cb7e65bfe6dff14fa64fb0e2b6892
Opcode Fuzzy Hash: 095302a68ce88067954d3318e8f1ed2e323ed0549d5e6bfc1c6ee0e1d522d0fc
Instruction Fuzzy Hash: D2B17C71820A1AEFCF25DFA4C9899AEBBB5FF04310B148159E81D6B212D770DA71CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00266757 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026675E
_Maklocstr.LIBCPMT ref: 002667C7
_Maklocstr.LIBCPMT ref: 002667D9
_Maklocchr.LIBCPMT ref: 002667F1
_Maklocchr.LIBCPMT ref: 00266801
_Getvals.LIBCPMT ref: 00266823

Part of subcall function 0025F940: _Maklocchr.LIBCPMT ref: 0025F96F
Part of subcall function 0025F940: _Maklocchr.LIBCPMT ref: 0025F985

Strings

false, xrefs: 002667C2
true, xrefs: 002667D4

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 82e10c270adcb8ee26899aef20b51f12c36543d259eda1ce8e544ebd94cc9a87
Instruction ID: 3b23a733ded2c17a4ab5b5d1349b546a580b09a946486682eec39996253a38bf
Opcode Fuzzy Hash: 82e10c270adcb8ee26899aef20b51f12c36543d259eda1ce8e544ebd94cc9a87
Instruction Fuzzy Hash: 58218371D20314AADF14EFA4D846A9FBBA8EF05710F048416F8099F182DB709968CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0025E3EE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0025E3F4
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0025E402
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0025E413
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0025E424

Strings

GetTempPath2W, xrefs: 0025E419
GetCurrentPackageId, xrefs: 0025E3FC
GetSystemTimePreciseAsFileTime, xrefs: 0025E408
kernel32.dll, xrefs: 0025E3EF

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 7bb40c7720c94d79b984759a72ff240acfd12d48616402000544e96093baf62f
Instruction ID: 524f424349973ef2a9cb49abf9d5700de048a08f68ad1b32d63fa3c9f8aece7a
Opcode Fuzzy Hash: 7bb40c7720c94d79b984759a72ff240acfd12d48616402000544e96093baf62f
Instruction Fuzzy Hash: 0CE062B5DF5310FBCB009F78BC0E8853EE8EA0A7157928617FD06D3260D67445949B51

Uniqueness

Uniqueness Score: -1.00%

Function 0023DE40 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0023DF75
std::_Throw_Cpp_error.LIBCPMT ref: 0023DF80

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 4f0a206325e3c3ee4d9fd70a1f69f758c226395a2752adf1926e18a2ea52d94e
Instruction ID: 49b35fa23790d27205adaa5013e276cc6a886ec0ae792d7af0d0a4f20cc2e3da
Opcode Fuzzy Hash: 4f0a206325e3c3ee4d9fd70a1f69f758c226395a2752adf1926e18a2ea52d94e
Instruction Fuzzy Hash: 0B516D72914644FBDB10EFA4DC42B9BB7BCEB05710F00052AFE14AB681D771A528CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00234650 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 209libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,GetLogicalProcessorInformation,DBCFA47E), ref: 002346CD
GetProcAddress.KERNEL32(00000000), ref: 002346D4
GetLastError.KERNEL32 ref: 002346EC

Strings

CpuInfoError, xrefs: 00234862, 00234879
Cant get cpu info, xrefs: 0023481A, 00234834
kernel32, xrefs: 00234689
GetLogicalProcessorInformation, xrefs: 00234678

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: Cant get cpu info$CpuInfoError$GetLogicalProcessorInformation$kernel32
API String ID: 4275029093-3855144101
Opcode ID: de0c224609ed36dbcfdf2e0965495087e57a657a4ccf0986486af6fb8c2fa4c2
Instruction ID: dc4ae7e674f5724e9746088e87bf41381bddfea4b64e57c49936cfd47dd93f78
Opcode Fuzzy Hash: de0c224609ed36dbcfdf2e0965495087e57a657a4ccf0986486af6fb8c2fa4c2
Instruction Fuzzy Hash: 3771D5B1920216DFDB10EF68ED497AEB7B0FF02310F144669E802AB291D735AD25CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00257F20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00258080: __Mtx_unlock.LIBCPMT ref: 0025813C

wsprintfW.USER32 ref: 00257F62
RegCreateKeyW.ADVAPI32(80000002,?,?), ref: 00257F93
RegQueryValueW.ADVAPI32(?,002A7C38,?,?), ref: 00257FC2
CloseHandle.KERNEL32(?), ref: 00258057

Strings

SOFTWARE\Classes\CLSID\{%ws}, xrefs: 00257F5C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CloseCreateHandleMtx_unlockQueryValuewsprintf
String ID: SOFTWARE\Classes\CLSID\{%ws}
API String ID: 43845800-1216538723
Opcode ID: fe377bd1a55fe60c4c1c05066a3feec1467d0b73c4c7526bff34f5500d9bab97
Instruction ID: 70790b029be106e5fa9cd9e498e19058f8f767663a3c492bc812975f8a39905a
Opcode Fuzzy Hash: fe377bd1a55fe60c4c1c05066a3feec1467d0b73c4c7526bff34f5500d9bab97
Instruction Fuzzy Hash: E531A4B4510119DFCB10DF54DC48BEAB7B8EF04315F1081AAEA0AA3550DFB49A99CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00266830 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00266837
_Maklocstr.LIBCPMT ref: 0026689E
_Maklocstr.LIBCPMT ref: 002668B0
_Maklocchr.LIBCPMT ref: 002668C8
_Maklocchr.LIBCPMT ref: 002668D8

Strings

false, xrefs: 00266899
true, xrefs: 002668AB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2404127365-2658103896
Opcode ID: e00cb60fba3a58c4c4fcf7e37e5baee130bcb266a449b265664724f4e2b733e6
Instruction ID: 26f4dfb13eb9681f064e9ebbd2361667e297207646f8dea00a269802eab6d1f7
Opcode Fuzzy Hash: e00cb60fba3a58c4c4fcf7e37e5baee130bcb266a449b265664724f4e2b733e6
Instruction Fuzzy Hash: EA218971D20348AADF14EFA5D885A9BB7B8EF45300F00845AF8059F252EB70D968CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00271BA1 Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00271C2C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00271CBA
__alloca_probe_16.LIBCMT ref: 00271CE4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00271D2C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00271D46
__alloca_probe_16.LIBCMT ref: 00271D6C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00271DA9
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00271DC6

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: e4e4d2ce4b790a35667ca70c7954f7694f27f4c0723627c966fdf918877f3bbf
Instruction ID: 5bbef1f2a5400fe99b7ce4ad8c36b7e08960a09ae8419f2ca5d6a6d915f47dfa
Opcode Fuzzy Hash: e4e4d2ce4b790a35667ca70c7954f7694f27f4c0723627c966fdf918877f3bbf
Instruction Fuzzy Hash: 5971A37193024AABDF219FA9CC45AEE7BBAEF49750F28801AE41CA6150D771C934CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00238AB0 Relevance: 12.2, APIs: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00238B85
__Mtx_unlock.LIBCPMT ref: 00238BD9
__Cnd_broadcast.LIBCPMT ref: 00238C31
__Mtx_unlock.LIBCPMT ref: 00238C3A
std::_Throw_Cpp_error.LIBCPMT ref: 00238C8C
std::_Throw_Cpp_error.LIBCPMT ref: 00238C97
__Mtx_destroy_in_situ.LIBCPMT ref: 00238CB0
__Cnd_destroy_in_situ.LIBCPMT ref: 00238CB9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Mtx_unlock$Cpp_errorThrow_std::_$Cnd_broadcastCnd_destroy_in_situMtx_destroy_in_situ
String ID:
API String ID: 1639359466-0
Opcode ID: 638f0533ea4a6dfa73c54fc26ab192d57bb9bf2900af6650edd5ecf3f886f317
Instruction ID: 443cdf2d4ac4fe3870c75dae9fc9987d5944dfdea9d4f8ca08ce1466456fc4ec
Opcode Fuzzy Hash: 638f0533ea4a6dfa73c54fc26ab192d57bb9bf2900af6650edd5ecf3f886f317
Instruction Fuzzy Hash: E46100F0A11706EBCB24DF64C845B6AF7B4FF01314F04852AF9199B691EB70E929CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00271649 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00271692
__alloca_probe_16.LIBCMT ref: 002716BE
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 002716FD
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0027171A
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00271759
__alloca_probe_16.LIBCMT ref: 00271776
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002717B8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 002717DB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 1f0070acfe05a14c79d1895c7cb4b349a9e8439d88fc6081d9273772ba74340e
Instruction ID: b8b59c4460ae1356e516f805fc03f16ed770460c361dd0ec4598dc6fd243ba02
Opcode Fuzzy Hash: 1f0070acfe05a14c79d1895c7cb4b349a9e8439d88fc6081d9273772ba74340e
Instruction Fuzzy Hash: 3651B072520216ABEF249FA8CC45FABBBBDEF45750F248525F909DA190D7708C34CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00287A14 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00287A9A

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 3e4295b06c74faabf52440fe0d7cf89829f2159c9966d8ffde045902855001cc
Instruction ID: 85fb69c9f8388a0439cce210c75b2b6a60e5a185358292b16ff7903384f96d0e
Opcode Fuzzy Hash: 3e4295b06c74faabf52440fe0d7cf89829f2159c9966d8ffde045902855001cc
Instruction Fuzzy Hash: 52B19C3692A3569FDB11AF28CC81BBE7BA5EF55310F344156E804AB2C2D370D921CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024F540 Relevance: 10.7, APIs: 7, Instructions: 204timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,DBCFA47E,?,?), ref: 0024F5CC
OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?), ref: 0024F5F3
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?), ref: 0024F61A
GetSystemTimeAsFileTime.KERNEL32(?,DBCFA47E,?,?), ref: 0024F696
OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?), ref: 0024F6BD
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?), ref: 0024F6E5
CloseHandle.KERNEL32(?,?,?), ref: 0024F840

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ProcessTime$FileOpenSystemTimes$CloseHandle
String ID:
API String ID: 4159735832-0
Opcode ID: 5712f19fdd3d0f9c1d61898941154ccf96fc52e4a21dcda8b125099ad9c49df7
Instruction ID: fb47785fd360769acfc16b5cd67239b8be702c7be045ea06a9d1de43f3acbca8
Opcode Fuzzy Hash: 5712f19fdd3d0f9c1d61898941154ccf96fc52e4a21dcda8b125099ad9c49df7
Instruction Fuzzy Hash: 3C919271E10A499BCB05DFB8D985AEDF7B4FF89310F10432AE819B7251EB306494CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00256DC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00256E49
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00256E9E
__Getctype.LIBCPMT ref: 00256EB7
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00256F01
std::_Lockit::~_Lockit.LIBCPMT ref: 00256F9F

Strings

bad locale name, xrefs: 00256FBD

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 9133df8e0c2179d05f9937887576586347ccd5a6e258e2d469bc6626230ea8d5
Instruction ID: 0db9604c4c22c35b375d39b1a4d7986bdb16631dc345650a311c79f544383ef0
Opcode Fuzzy Hash: 9133df8e0c2179d05f9937887576586347ccd5a6e258e2d469bc6626230ea8d5
Instruction Fuzzy Hash: B251AFB1D243598FEF20DFA4C945B9EBBB4BF14300F148269DC49A7242EB34A968CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00258C34 Relevance: 10.6, APIs: 7, Instructions: 150threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00258C5C
GetCurrentThreadId.KERNEL32 ref: 00258C79
GetCurrentThreadId.KERNEL32 ref: 00258C9A
GetCurrentThreadId.KERNEL32 ref: 00258D1A
__Xtime_diff_to_millis2.LIBCPMT ref: 00258D32
GetCurrentThreadId.KERNEL32 ref: 00258D5C
GetCurrentThreadId.KERNEL32 ref: 00258DA2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: 0a918f0ce24012d2fd7f3256985fbdc438f00a4fe631d35919407ec22cbf2bc0
Instruction ID: 6a0297915639faebf744169dd670cbac7e730ef9512f3622f8fca0c32ae7762d
Opcode Fuzzy Hash: 0a918f0ce24012d2fd7f3256985fbdc438f00a4fe631d35919407ec22cbf2bc0
Instruction Fuzzy Hash: 8051BD31921106CBCF10DF24D9859A9B7F1EF18312B25845ADC46FB295DBB0ED58CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00275C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00275C57
___except_validate_context_record.LIBVCRUNTIME ref: 00275C5F
_ValidateLocalCookies.LIBCMT ref: 00275CE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00275D13
_ValidateLocalCookies.LIBCMT ref: 00275D68

Strings

csm, xrefs: 00275CFD

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5a0672926f4c5fc34347389c5f2b6debcfa487f513f1c65d0fe6ade26256a96f
Instruction ID: 631b2d525c7387bdd7dda8a9b358c78d888fd13901a592950bd568007fd0dd59
Opcode Fuzzy Hash: 5a0672926f4c5fc34347389c5f2b6debcfa487f513f1c65d0fe6ade26256a96f
Instruction Fuzzy Hash: 2C41D334A20A29DBCF11DF68C885A9EFBB1BF05314F14C05AE81D5B392D7B19921CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00288FF9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00289108,00285594,0000000C,00000000,?,00000000,?,00289372,00000022,FlsSetValue,002A11F4,002A11FC,?), ref: 002890BA

Strings

api-ms-, xrefs: 00289050
ext-ms-, xrefs: 00289064

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: bd1ddea6b805a0c137a2a522f074ad308a649a0b65010afdcb5ace1f9f5852cd
Instruction ID: 1f75ba8b5bbd8bf4287281aa9bc60f1056715e6640314c7e4e2dec43e629cf2a
Opcode Fuzzy Hash: bd1ddea6b805a0c137a2a522f074ad308a649a0b65010afdcb5ace1f9f5852cd
Instruction Fuzzy Hash: E821D035A22112ABCB31AF25EC48A7A7754DF41764F394211FD05A72D1E770ED60CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0023DD90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0023DE0C
std::_Throw_Cpp_error.LIBCPMT ref: 0023DE27
std::_Throw_Cpp_error.LIBCPMT ref: 0023DE32

Part of subcall function 00257F20: wsprintfW.USER32 ref: 00257F62
Part of subcall function 00257F20: RegCreateKeyW.ADVAPI32(80000002,?,?), ref: 00257F93
Part of subcall function 00257F20: RegQueryValueW.ADVAPI32(?,002A7C38,?,?), ref: 00257FC2
Part of subcall function 00257F20: CloseHandle.KERNEL32(?), ref: 00258057

Strings

activationStatus=%ws, xrefs: 0023E160, 0023E177
Fast!, xrefs: 0023E226, 0023E23D
activation_status_changed, xrefs: 0023E1E4, 0023E1FB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CloseCreateHandleMtx_unlockQueryValuewsprintf
String ID: Fast!$activationStatus=%ws$activation_status_changed
API String ID: 756159459-4141419543
Opcode ID: a3c10e7b820827aa377d3764934c9776e57a1f9a3310da78ff1c733154ceff5e
Instruction ID: ab5aac508d2a571e353494dea2915ab73dfd7c43ff02d86e74b593dbdc0e3ce8
Opcode Fuzzy Hash: a3c10e7b820827aa377d3764934c9776e57a1f9a3310da78ff1c733154ceff5e
Instruction Fuzzy Hash: C11106B1914A05ABD700DF24D842B8AB7B8FB08710F10472AF8149BAC0EB70B528CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0026E013 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026E01A
std::_Lockit::_Lockit.LIBCPMT ref: 0026E024
int.LIBCPMT ref: 0026E03B

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 0026E05E
std::_Facet_Register.LIBCPMT ref: 0026E075
std::_Lockit::~_Lockit.LIBCPMT ref: 0026E095
Concurrency::cancel_current_task.LIBCPMT ref: 0026E0A2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 81c6af1dc19dddc7ee07e70be2e5d5b61a617c606491f3d8115ff2a4e358aedf
Instruction ID: 9c420672cae7b0d07254d20411a7c4d89d5aa9165181d700f6041f33deb428f0
Opcode Fuzzy Hash: 81c6af1dc19dddc7ee07e70be2e5d5b61a617c606491f3d8115ff2a4e358aedf
Instruction Fuzzy Hash: 1401043582011A9BCF00EF64E846ABDB7A0AF84310F698149F815B72C1CFB09E688F81

Uniqueness

Uniqueness Score: -1.00%

Function 0026E0A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026E0AF
std::_Lockit::_Lockit.LIBCPMT ref: 0026E0B9
int.LIBCPMT ref: 0026E0D0

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 0026E0F3
std::_Facet_Register.LIBCPMT ref: 0026E10A
std::_Lockit::~_Lockit.LIBCPMT ref: 0026E12A
Concurrency::cancel_current_task.LIBCPMT ref: 0026E137

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 1c2676262e5bd8f0dccfbb8da1291d857eb6f9360307bb96339756efdbec50f6
Instruction ID: 397c271830028099077e9b0530d90463edfd1885eb425465a47ac805a650603a
Opcode Fuzzy Hash: 1c2676262e5bd8f0dccfbb8da1291d857eb6f9360307bb96339756efdbec50f6
Instruction Fuzzy Hash: D7012639820216CBCF04EF64D846ABEB7B0AF44311F654149F815AB2C1CF709EA5CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00262087 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026208E
std::_Lockit::_Lockit.LIBCPMT ref: 00262098
int.LIBCPMT ref: 002620AF

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

codecvt.LIBCPMT ref: 002620D2
std::_Facet_Register.LIBCPMT ref: 002620E9
std::_Lockit::~_Lockit.LIBCPMT ref: 00262109
Concurrency::cancel_current_task.LIBCPMT ref: 00262116

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 263d34d8a31c7cf7179fd15c0ad20593bd9c84e5c11664a796c2589db0dd4592
Instruction ID: 83040dd13b2d3e7a7599a53e88d50e184f9102d9b0088bdb392286bc74dea24e
Opcode Fuzzy Hash: 263d34d8a31c7cf7179fd15c0ad20593bd9c84e5c11664a796c2589db0dd4592
Instruction Fuzzy Hash: 9E010431D2011ADBCB00EB60D80A6AEB7B0BF40311F644149FD05AB281CF709E69CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0026211C Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262123
std::_Lockit::_Lockit.LIBCPMT ref: 0026212D
int.LIBCPMT ref: 00262144

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

collate.LIBCPMT ref: 00262167
std::_Facet_Register.LIBCPMT ref: 0026217E
std::_Lockit::~_Lockit.LIBCPMT ref: 0026219E
Concurrency::cancel_current_task.LIBCPMT ref: 002621AB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: 4e6e088bcdad6c77b9aec739bc1cc1b6c2fe39660daae5e04cbdd556ffd1619b
Instruction ID: a2a82afd8c5b1eda34ac8da327595201bb0f7c9b6bd8ab426ccd6e90e7501277
Opcode Fuzzy Hash: 4e6e088bcdad6c77b9aec739bc1cc1b6c2fe39660daae5e04cbdd556ffd1619b
Instruction Fuzzy Hash: EE01D631D2051ADFCB04EB60D85A6BEB7B0AF84311F644149F915AB2C1CF709E698F85

Uniqueness

Uniqueness Score: -1.00%

Function 002621B1 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002621B8
std::_Lockit::_Lockit.LIBCPMT ref: 002621C2
int.LIBCPMT ref: 002621D9

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

collate.LIBCPMT ref: 002621FC
std::_Facet_Register.LIBCPMT ref: 00262213
std::_Lockit::~_Lockit.LIBCPMT ref: 00262233
Concurrency::cancel_current_task.LIBCPMT ref: 00262240

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: b3a61743e17cdefc2d29efec4ea99a6101b5bcd7ef0ee3f89aa21bdb85212322
Instruction ID: 751b2c0685bfcfba901199e6f66c00b08cf9d81a322ac92d39c379f0efe2da50
Opcode Fuzzy Hash: b3a61743e17cdefc2d29efec4ea99a6101b5bcd7ef0ee3f89aa21bdb85212322
Instruction Fuzzy Hash: 90010431820116DBCB04EBA0D816AADB7A0AF44310F244149FD01A72D1CF709E69CF85

Uniqueness

Uniqueness Score: -1.00%

Function 002626EE Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002626F5
std::_Lockit::_Lockit.LIBCPMT ref: 002626FF
int.LIBCPMT ref: 00262716

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 00262739
std::_Facet_Register.LIBCPMT ref: 00262750
std::_Lockit::~_Lockit.LIBCPMT ref: 00262770
Concurrency::cancel_current_task.LIBCPMT ref: 0026277D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 00aa177b2541e6674f759f3996d08aba7076a0d0b709104db763bc5a85cea660
Instruction ID: 240cc3b89711c0855d969014c772395231c02a7f1360e7a1e59610b90f2de5f6
Opcode Fuzzy Hash: 00aa177b2541e6674f759f3996d08aba7076a0d0b709104db763bc5a85cea660
Instruction Fuzzy Hash: 0901223182011ACBCB05EBA0D80AABDB7B0AF44311F644149F811AB2D1CF709E68CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00262783 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026278A
std::_Lockit::_Lockit.LIBCPMT ref: 00262794
int.LIBCPMT ref: 002627AB

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 002627CE
std::_Facet_Register.LIBCPMT ref: 002627E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00262805
Concurrency::cancel_current_task.LIBCPMT ref: 00262812

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: d744507d1a61c16bbbeb274c2812068456ff4793dc0fa27c20d09d8db421bf56
Instruction ID: 8699d1834633e55c7c90615f75ca322d529e19e62d0d5fb6c21f90e8c3b4d4b4
Opcode Fuzzy Hash: d744507d1a61c16bbbeb274c2812068456ff4793dc0fa27c20d09d8db421bf56
Instruction Fuzzy Hash: 7101D631D20116DBCB05EB60D85AABDB7B0AF84311F644149FD01AB2C1DF749D69CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00262818 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026281F
std::_Lockit::_Lockit.LIBCPMT ref: 00262829
int.LIBCPMT ref: 00262840

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 00262863
std::_Facet_Register.LIBCPMT ref: 0026287A
std::_Lockit::~_Lockit.LIBCPMT ref: 0026289A
Concurrency::cancel_current_task.LIBCPMT ref: 002628A7

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
String ID:
API String ID: 3376033448-0
Opcode ID: 989c9ca519ccc4bb0ffaeae7540c5a1cc3b3caac366c132f3f9f919f7d009ea7
Instruction ID: ed9193643221ece1683c67618d02e8040f6100c1994e587c43d4174758d565ad
Opcode Fuzzy Hash: 989c9ca519ccc4bb0ffaeae7540c5a1cc3b3caac366c132f3f9f919f7d009ea7
Instruction Fuzzy Hash: 9801C031D20216DBCB04EBA4D84AABEB7A1AF84311F644149F815AB2C1DF709E69CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00262B01 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262B08
std::_Lockit::_Lockit.LIBCPMT ref: 00262B12
int.LIBCPMT ref: 00262B29

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

numpunct.LIBCPMT ref: 00262B4C
std::_Facet_Register.LIBCPMT ref: 00262B63
std::_Lockit::~_Lockit.LIBCPMT ref: 00262B83
Concurrency::cancel_current_task.LIBCPMT ref: 00262B90

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: cbb60ff9055ed252a72c7154f7f18387255901b5854f6001e87623eb977d7c8b
Instruction ID: b174ce036b80f4d40508d1ea0e27b69a57f2601e96cb41b1cbe745d73a36a9e3
Opcode Fuzzy Hash: cbb60ff9055ed252a72c7154f7f18387255901b5854f6001e87623eb977d7c8b
Instruction Fuzzy Hash: 07010031920116DFCB00EFA0D856AAEB7A0AF45324F684649F815AB2C1CF709E68CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00262B96 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262B9D
std::_Lockit::_Lockit.LIBCPMT ref: 00262BA7
int.LIBCPMT ref: 00262BBE

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

numpunct.LIBCPMT ref: 00262BE1
std::_Facet_Register.LIBCPMT ref: 00262BF8
std::_Lockit::~_Lockit.LIBCPMT ref: 00262C18
Concurrency::cancel_current_task.LIBCPMT ref: 00262C25

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: bfcc915ed0cabd0f6ed2986290ed65f343a6771552f03d226de9c00ab0406a2e
Instruction ID: e43a4d3396add220319adf47273cfeb54f87703d1f670b32e4e62805f01b9d7b
Opcode Fuzzy Hash: bfcc915ed0cabd0f6ed2986290ed65f343a6771552f03d226de9c00ab0406a2e
Instruction Fuzzy Hash: 87010431820126CBCF05EF60D84A6ADB7B1AF44310F64414AF911A72C1DF709EA88F85

Uniqueness

Uniqueness Score: -1.00%

Function 0025B888 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025B88F
std::_Lockit::_Lockit.LIBCPMT ref: 0025B899
int.LIBCPMT ref: 0025B8B0

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

codecvt.LIBCPMT ref: 0025B8D3
std::_Facet_Register.LIBCPMT ref: 0025B8EA
std::_Lockit::~_Lockit.LIBCPMT ref: 0025B90A
Concurrency::cancel_current_task.LIBCPMT ref: 0025B917

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0a04d6b0a0f5f318b7fd542c7580955b0547612a4a273d5324ee2a93c8e868aa
Instruction ID: 0c26fb66da30c88a8c81a670c4978f86aca7100cb3a45f9406dd4bef5d91850c
Opcode Fuzzy Hash: 0a04d6b0a0f5f318b7fd542c7580955b0547612a4a273d5324ee2a93c8e868aa
Instruction Fuzzy Hash: C001C835D2021ADBCF05EB60D44A5BD7760AF44311F644109FD11A7291DF749D69CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0025B91D Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025B924
std::_Lockit::_Lockit.LIBCPMT ref: 0025B92E
int.LIBCPMT ref: 0025B945

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

ctype.LIBCPMT ref: 0025B968
std::_Facet_Register.LIBCPMT ref: 0025B97F
std::_Lockit::~_Lockit.LIBCPMT ref: 0025B99F
Concurrency::cancel_current_task.LIBCPMT ref: 0025B9AC

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 1608d4b9ad985f3cf3717f9cdd450e8a8d77a5e8c3702c0b72fcd9a547a04dfb
Instruction ID: 6cd3c923ed14fcb066f641a2d2da7039e5b33be0e38ed8c82f2a7a6b3764069f
Opcode Fuzzy Hash: 1608d4b9ad985f3cf3717f9cdd450e8a8d77a5e8c3702c0b72fcd9a547a04dfb
Instruction Fuzzy Hash: 2601C431D202169BCF05EB64D84A6BDB771AF84311F644209FD05AB291DF709D69CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0025BADC Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025BAE3
std::_Lockit::_Lockit.LIBCPMT ref: 0025BAED
int.LIBCPMT ref: 0025BB04

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

numpunct.LIBCPMT ref: 0025BB27
std::_Facet_Register.LIBCPMT ref: 0025BB3E
std::_Lockit::~_Lockit.LIBCPMT ref: 0025BB5E
Concurrency::cancel_current_task.LIBCPMT ref: 0025BB6B

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
String ID:
API String ID: 3064348918-0
Opcode ID: 465a0395ba73185c062dd751f5aa945ef08927ff55a9d752e95d58481ff0a693
Instruction ID: ab9c491ed1d3e02560e32b1db17ffd6361a113c254ecb6d9854458ea84bed5c3
Opcode Fuzzy Hash: 465a0395ba73185c062dd751f5aa945ef08927ff55a9d752e95d58481ff0a693
Instruction Fuzzy Hash: CD010431C2011A9FCF05EFA0D8466BDB771AF40315F644209FC01A7281DFB09E298F89

Uniqueness

Uniqueness Score: -1.00%

Function 0026DDBF Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DDC6
std::_Lockit::_Lockit.LIBCPMT ref: 0026DDD0
int.LIBCPMT ref: 0026DDE7

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

collate.LIBCPMT ref: 0026DE0A
std::_Facet_Register.LIBCPMT ref: 0026DE21
std::_Lockit::~_Lockit.LIBCPMT ref: 0026DE41
Concurrency::cancel_current_task.LIBCPMT ref: 0026DE4E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
String ID:
API String ID: 1767075461-0
Opcode ID: b9b148f580f26eef2314c52a41270b8c5e5e9cb9b34cc3f4bd0cdaefc42766b5
Instruction ID: 23855ecd85f9a48f3bec1f3060fce14113b72f569d85edf8e8085e22afb9706e
Opcode Fuzzy Hash: b9b148f580f26eef2314c52a41270b8c5e5e9cb9b34cc3f4bd0cdaefc42766b5
Instruction Fuzzy Hash: 85010431D2061A9BCB00EF60D8466BDB7B0AF54710F644149F801AB280CF709EA9CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0026DE54 Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DE5B
std::_Lockit::_Lockit.LIBCPMT ref: 0026DE65
int.LIBCPMT ref: 0026DE7C

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

messages.LIBCPMT ref: 0026DE9F
std::_Facet_Register.LIBCPMT ref: 0026DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 0026DED6
Concurrency::cancel_current_task.LIBCPMT ref: 0026DEE3

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
String ID:
API String ID: 958335874-0
Opcode ID: 4601154e265f9b0c128ef712b9a79ac958f23cfc33bf78c8c0d75efc773f98fe
Instruction ID: 7d237fb5d5838b7cfbd1d3212eb906a55322b8cd49c4b1061f6033d42df3e7cd
Opcode Fuzzy Hash: 4601154e265f9b0c128ef712b9a79ac958f23cfc33bf78c8c0d75efc773f98fe
Instruction Fuzzy Hash: F6010031D2021A9BCF00EFA0E8466BEB7B4AF44311F684549F801AB2D0CF709E68CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00261FF2 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00261FF9
std::_Lockit::_Lockit.LIBCPMT ref: 00262003
int.LIBCPMT ref: 0026201A

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

codecvt.LIBCPMT ref: 0026203D
std::_Facet_Register.LIBCPMT ref: 00262054
std::_Lockit::~_Lockit.LIBCPMT ref: 00262074
Concurrency::cancel_current_task.LIBCPMT ref: 00262081

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: ea3295b107aca5c16f877570c2e2b4d69ce910c527fba3dc0cd642659091a747
Instruction ID: 7a4453ff609ccea04917ccf6e8559f384850d683854e3ab7edd7a939a0459233
Opcode Fuzzy Hash: ea3295b107aca5c16f877570c2e2b4d69ce910c527fba3dc0cd642659091a747
Instruction Fuzzy Hash: DB010031C20616DBCF00EBA4D85A6AEB7B0AF54310F644149FC01AB2C1CF709EA8CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00238E20 Relevance: 9.3, APIs: 6, Instructions: 337threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00238ED4
GetCurrentThreadId.KERNEL32 ref: 00238EE2
__Mtx_unlock.LIBCPMT ref: 00238F33
__Cnd_broadcast.LIBCPMT ref: 00238F3C
std::_Throw_Cpp_error.LIBCPMT ref: 00238F6E
std::_Throw_Cpp_error.LIBCPMT ref: 00238F79

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorMtx_unlockThrow_std::_$Cnd_broadcastCurrentThread
String ID:
API String ID: 3121442025-0
Opcode ID: 41ac6dcd62ce27320d1d2377357eb2536a686de0017832fd5a2008681ef387d2
Instruction ID: 9f883e241551762a6c2488cf677f8df57ff917140732765641ee8bf55cdde709
Opcode Fuzzy Hash: 41ac6dcd62ce27320d1d2377357eb2536a686de0017832fd5a2008681ef387d2
Instruction Fuzzy Hash: B9D188B0A11616CFDB25CF68C88475ABBF0FF09710F188169E819AB391EB75E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00280C29 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00280DB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00280DCD
__allrem.LIBCMT ref: 00280DE4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00280E02
__allrem.LIBCMT ref: 00280E19
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00280E37

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 77a6ae16040445a4732995100f0ccf9ae1ad36f0ec732fc5913a7fc7238bf0d0
Instruction ID: 74d9ebeb6dc3d2abc63d69d0234c6b1ff47a42878e6e7d72b7ac8ffd086e893a
Opcode Fuzzy Hash: 77a6ae16040445a4732995100f0ccf9ae1ad36f0ec732fc5913a7fc7238bf0d0
Instruction Fuzzy Hash: 5B813A76A227029FE760BF69DCC1B6B73E9AF44324F14462AF455D72C1E770D9288B40

Uniqueness

Uniqueness Score: -1.00%

Function 0023B370 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 384COMMON

Download Yara Rule

APIs

__Xtime_get_ticks.LIBCPMT ref: 0023B3A0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023B3AE

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

errorMsg=%ws&errorCode=%u, xrefs: 0023B47D
Fast!, xrefs: 0023B3D2, 0023B3EC
errorMsg=%ws, xrefs: 0023B438, 0023B44F

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: FindHeapProcessResourceUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: Fast!$errorMsg=%ws$errorMsg=%ws&errorCode=%u
API String ID: 2519110999-1285405227
Opcode ID: f9fca3904b180cc1f909dfbf3e75ad9315befdc094b0d4a2752b8ef860ea2242
Instruction ID: 79a51f2271975c7b1299084d8242b92ac807720f97d81c34774eca9d6d1b8224
Opcode Fuzzy Hash: f9fca3904b180cc1f909dfbf3e75ad9315befdc094b0d4a2752b8ef860ea2242
Instruction Fuzzy Hash: 78E10571920205EFDB05EFB8D859BADB7B0EF41310F14815CE905AB292DB319E28CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002835BD Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 002836A7
__freea.LIBCMT ref: 00283737
__freea.LIBCMT ref: 00283753

Strings

am/pm, xrefs: 002837B5
a/p, xrefs: 00283819

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 0c3607813d021af5ef2f4c8cbcc7e84d55625016b46e2e0214e81ba831bf13d4
Instruction ID: 2cc6a3dad39aac9aeee0666e03ae25069b0a3c3dd5f772f73029a0432d0fe9d2
Opcode Fuzzy Hash: 0c3607813d021af5ef2f4c8cbcc7e84d55625016b46e2e0214e81ba831bf13d4
Instruction Fuzzy Hash: E3C1E17D936217DBCB24EF68C885ABAB7B0FF05B00F144159E805AB2D0D3B59E61CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00237AC0 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00237AFA
__Mtx_unlock.LIBCPMT ref: 00237B10
__Cnd_broadcast.LIBCPMT ref: 00237B40
__Mtx_unlock.LIBCPMT ref: 00237B46
std::_Throw_Cpp_error.LIBCPMT ref: 00237B7A
std::_Throw_Cpp_error.LIBCPMT ref: 00237B85

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Mtx_unlock$Cpp_errorThrow_std::_$Cnd_broadcast
String ID:
API String ID: 4207855644-0
Opcode ID: 60392d21aca772e92730dee37aa59e03cd97b20a5ffd0c707c1ada11c5ee7694
Instruction ID: 0f51e271434611aa034c716198480911d62bb943af0f5edb71ae151b560124a8
Opcode Fuzzy Hash: 60392d21aca772e92730dee37aa59e03cd97b20a5ffd0c707c1ada11c5ee7694
Instruction Fuzzy Hash: 48110AF15216029FDB21AF609806A5AF7B9AF11369F040115FE149B242DB70E83ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00275E1A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00275E11,002737B0,00259817,DBCFA47E,?,?,?,00000000,00299F57,000000FF,?,00239CFF), ref: 00275E28
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00275E36
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00275E4F
SetLastError.KERNEL32(00000000,?,?,00000000,00299F57,000000FF,?,00239CFF,?,?,?), ref: 00275EA1

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eb4cd9272092f07ea947f49103e405c4f9b03f9ea191f57b22dd780eafa1c92d
Instruction ID: e91ea380ddee375dff75d572f11b6733dd6789405afad90620db689ec8283c27
Opcode Fuzzy Hash: eb4cd9272092f07ea947f49103e405c4f9b03f9ea191f57b22dd780eafa1c92d
Instruction Fuzzy Hash: D401B53253DB325FA6152E78FC49727A658EB05775770832AF05C950E1EFB24D209A84

Uniqueness

Uniqueness Score: -1.00%

Function 00257CF0 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000402,?,?), ref: 00257D17
DefWindowProcW.USER32(?,?,?,?), ref: 00257D23
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00257D3C
DefWindowProcW.USER32(?,?,?,?), ref: 00257D48
PostQuitMessage.USER32(00000000), ref: 00257D57
DefWindowProcW.USER32(?,?,?,?), ref: 00257D63

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: MessagePostProcWindow$Quit
String ID:
API String ID: 3552470998-0
Opcode ID: 2470aaeee6cae9709e8395205aaa706a5beb7365d750d83a95231ac6f0d326d8
Instruction ID: 094f70582b25ccd0cdb5ca5a61f69106d451151d8f4b48766d633756da403269
Opcode Fuzzy Hash: 2470aaeee6cae9709e8395205aaa706a5beb7365d750d83a95231ac6f0d326d8
Instruction Fuzzy Hash: 9E015A73281129BBEB115F99BC4CFAF7B2CEF8A762F100012FB01A10A08371582196B8

Uniqueness

Uniqueness Score: -1.00%

Function 0026E13D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026E144
std::_Lockit::_Lockit.LIBCPMT ref: 0026E14E
int.LIBCPMT ref: 0026E165

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0026E19F
std::_Lockit::~_Lockit.LIBCPMT ref: 0026E1BF
Concurrency::cancel_current_task.LIBCPMT ref: 0026E1CC

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: e8e7a41fed6ef27bc37864582569baf10b5dd0bb7110b0c119675451ec3820b5
Instruction ID: 626a6900e16fa30753ed300b5c7b1e93a85c31f1392ef8e6ded7f0cbfb8c92e5
Opcode Fuzzy Hash: e8e7a41fed6ef27bc37864582569baf10b5dd0bb7110b0c119675451ec3820b5
Instruction Fuzzy Hash: BC010035D2011A9BCF00EBA4D84A6AEB7B0AF41310F254149FC15AB2C1CF709E69CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0026E1D2 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026E1D9
std::_Lockit::_Lockit.LIBCPMT ref: 0026E1E3
int.LIBCPMT ref: 0026E1FA

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0026E234
std::_Lockit::~_Lockit.LIBCPMT ref: 0026E254
Concurrency::cancel_current_task.LIBCPMT ref: 0026E261

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 38d342ce87c4ede1e9b6971a8769eed7f81eadff3e9aee58f2f66bcee05b581f
Instruction ID: 5dc06f18326c1ab936a10a41867a8331e0d1e333c322fde9aec13f4f7eb2f7dc
Opcode Fuzzy Hash: 38d342ce87c4ede1e9b6971a8769eed7f81eadff3e9aee58f2f66bcee05b581f
Instruction Fuzzy Hash: FB0104358201168BCF00EFA0D8566ADB7B5AF84310F254109FD01AB281DF709EA98F85

Uniqueness

Uniqueness Score: -1.00%

Function 002628AD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002628B4
std::_Lockit::_Lockit.LIBCPMT ref: 002628BE
int.LIBCPMT ref: 002628D5

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0026290F
std::_Lockit::~_Lockit.LIBCPMT ref: 0026292F
Concurrency::cancel_current_task.LIBCPMT ref: 0026293C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 3b73d704cb7c3b8924e4e1c9b7183c05751501f521a3ecc5d291ff3980f69ddd
Instruction ID: 69ddd3d84967cad3673cb0c2f655a8e4a3ec983c5fef530a05c791c53d421d64
Opcode Fuzzy Hash: 3b73d704cb7c3b8924e4e1c9b7183c05751501f521a3ecc5d291ff3980f69ddd
Instruction Fuzzy Hash: AA010031920216CBCB01EBA0D8466BEB7A0AF84311F644149FD05AB2C1CF709EA98F85

Uniqueness

Uniqueness Score: -1.00%

Function 00262942 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262949
std::_Lockit::_Lockit.LIBCPMT ref: 00262953
int.LIBCPMT ref: 0026296A

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 002629A4
std::_Lockit::~_Lockit.LIBCPMT ref: 002629C4
Concurrency::cancel_current_task.LIBCPMT ref: 002629D1

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: f726817df9cddc958592fcad03ae08af62fe757dc3c056d641e9d2e1491f7ba8
Instruction ID: 30ec7ed417d5d06a6bcdd8f56cd25186ae3043a5c6e8b89b72fbd5dcd377a6b9
Opcode Fuzzy Hash: f726817df9cddc958592fcad03ae08af62fe757dc3c056d641e9d2e1491f7ba8
Instruction Fuzzy Hash: 4A010431D20216DBCB00EFA0D80A6ADB7A0AF80311F344549FC11AB2D1CF709D68CF85

Uniqueness

Uniqueness Score: -1.00%

Function 002629D7 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002629DE
std::_Lockit::_Lockit.LIBCPMT ref: 002629E8
int.LIBCPMT ref: 002629FF

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262A39
std::_Lockit::~_Lockit.LIBCPMT ref: 00262A59
Concurrency::cancel_current_task.LIBCPMT ref: 00262A66

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b8430b4e345ba8ed75382478f8cfcae13d3d13872b97ea1a15ca37928b68a55c
Instruction ID: a54b642dd4f52c3e9f01d0fdb021b11f47833c5f4ed3d73dd79d4c89bcedf901
Opcode Fuzzy Hash: b8430b4e345ba8ed75382478f8cfcae13d3d13872b97ea1a15ca37928b68a55c
Instruction Fuzzy Hash: 02010431820116DFCF10EBA0D8066AEB7A0AF44710F244149FD05A73C0CFB09E698F85

Uniqueness

Uniqueness Score: -1.00%

Function 00262A6C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262A73
std::_Lockit::_Lockit.LIBCPMT ref: 00262A7D
int.LIBCPMT ref: 00262A94

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262ACE
std::_Lockit::~_Lockit.LIBCPMT ref: 00262AEE
Concurrency::cancel_current_task.LIBCPMT ref: 00262AFB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: d3933de951756b800291747a68c5f84e8716e14959716ce24d61acad27687a7f
Instruction ID: e734abcf6cbdb1bb92e5c682c279a835444f755bb36941de9e21abf0f410f31f
Opcode Fuzzy Hash: d3933de951756b800291747a68c5f84e8716e14959716ce24d61acad27687a7f
Instruction Fuzzy Hash: A1010431820216CBCF04EBA0D84A6AEB7B0BF44311F244609F911A7290CFB09DA9CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00262C2B Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262C32
std::_Lockit::_Lockit.LIBCPMT ref: 00262C3C
int.LIBCPMT ref: 00262C53

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262C8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00262CAD
Concurrency::cancel_current_task.LIBCPMT ref: 00262CBA

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 99e0b4821cb4a152baebd0a46e816375af07c3ec1675480399f47140a9f340d7
Instruction ID: 305dcdd577025e329c591955dfc6baaa10868a384e1b75ee48b6317c8913b01f
Opcode Fuzzy Hash: 99e0b4821cb4a152baebd0a46e816375af07c3ec1675480399f47140a9f340d7
Instruction Fuzzy Hash: 8C010031820116DBCF00EBA4D8066AEB7B1AF84311F69410AFC01AB281CF709E688F82

Uniqueness

Uniqueness Score: -1.00%

Function 00262CC0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262CC7
std::_Lockit::_Lockit.LIBCPMT ref: 00262CD1
int.LIBCPMT ref: 00262CE8

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262D22
std::_Lockit::~_Lockit.LIBCPMT ref: 00262D42
Concurrency::cancel_current_task.LIBCPMT ref: 00262D4F

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 7182776e575d3b95a58a22f9630edc168068615df83021830f91ae3a3b2fc6fa
Instruction ID: 997c29f6eb0fdee6a8463582be862b1783ee6586a72bc18398dbe948ede3e46a
Opcode Fuzzy Hash: 7182776e575d3b95a58a22f9630edc168068615df83021830f91ae3a3b2fc6fa
Instruction Fuzzy Hash: 6701C43192021ADBCB04EF60D8466BDB7B1AF84311F644149FD15AB291DF709E698F85

Uniqueness

Uniqueness Score: -1.00%

Function 00262D55 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262D5C
std::_Lockit::_Lockit.LIBCPMT ref: 00262D66
int.LIBCPMT ref: 00262D7D

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262DB7
std::_Lockit::~_Lockit.LIBCPMT ref: 00262DD7
Concurrency::cancel_current_task.LIBCPMT ref: 00262DE4

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: b7ec119c9f652c42ab109687201ae13ef5e0b83ee90233ad75cef99511668f6f
Instruction ID: 88eb9dd4eb732c299b6715b7fc21e6999f4fe92346805d2216921a4a22d15f27
Opcode Fuzzy Hash: b7ec119c9f652c42ab109687201ae13ef5e0b83ee90233ad75cef99511668f6f
Instruction Fuzzy Hash: 9C01C03192061ADBCF04EBA4D8066ADB7B0BF45311F644549F901AB2C1DF709EA8CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00262DEA Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262DF1
std::_Lockit::_Lockit.LIBCPMT ref: 00262DFB
int.LIBCPMT ref: 00262E12

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 00262E4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00262E6C
Concurrency::cancel_current_task.LIBCPMT ref: 00262E79

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 3c7cd13890cd43b413c51edd9c5ce2d2d368514bfa04d20b1fbdc16ba189c47e
Instruction ID: 85e1d6621e06782c0e457780cd9532a56670db0405992a798faa5c937898f4ec
Opcode Fuzzy Hash: 3c7cd13890cd43b413c51edd9c5ce2d2d368514bfa04d20b1fbdc16ba189c47e
Instruction Fuzzy Hash: 1301C475920516DBCF05EBA0E8466BDB7A0AF84311F648149F901A72D1DF70AE68CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0025B9B2 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025B9B9
std::_Lockit::_Lockit.LIBCPMT ref: 0025B9C3
int.LIBCPMT ref: 0025B9DA

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0025BA14
std::_Lockit::~_Lockit.LIBCPMT ref: 0025BA34
Concurrency::cancel_current_task.LIBCPMT ref: 0025BA41

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 9776ca51ffe196646e584165ff5a160159adc2dfd19c3398b0f640daed3d1eda
Instruction ID: 394b3f21ccc47f1fd9a6300d5600105faf2ea4d1a1de5b92d8cf9ed16241d3ae
Opcode Fuzzy Hash: 9776ca51ffe196646e584165ff5a160159adc2dfd19c3398b0f640daed3d1eda
Instruction Fuzzy Hash: A901D631D202169BCF05EB64D8566BDB770AF44311F644109FD05A7381DF709D29CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0025BA47 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025BA4E
std::_Lockit::_Lockit.LIBCPMT ref: 0025BA58
int.LIBCPMT ref: 0025BA6F

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0025BAA9
std::_Lockit::~_Lockit.LIBCPMT ref: 0025BAC9
Concurrency::cancel_current_task.LIBCPMT ref: 0025BAD6

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 0e89cb457ff3fc651271990f220cadb29caa18f78e96c037d58751bdb5db2ee9
Instruction ID: bc687911beb6095d74611c745d43f54d2490d5e26dc77eb8601ae0a32cefa6cc
Opcode Fuzzy Hash: 0e89cb457ff3fc651271990f220cadb29caa18f78e96c037d58751bdb5db2ee9
Instruction Fuzzy Hash: 5101C431D201169BCF05EB64D8466ADB761AF84312F644109FC15A7281DF749E29CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0026DEE9 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DEF0
std::_Lockit::_Lockit.LIBCPMT ref: 0026DEFA
int.LIBCPMT ref: 0026DF11

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0026DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0026DF6B
Concurrency::cancel_current_task.LIBCPMT ref: 0026DF78

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 9264bcb9e451e31b27e9027b18e6a8092e6b6d493c0f0cb4d65be25077bcd591
Instruction ID: 3546d00dd4e6ea7a98a2fc9cbaa45959c210c2769f5f6fa580f523a236113ea3
Opcode Fuzzy Hash: 9264bcb9e451e31b27e9027b18e6a8092e6b6d493c0f0cb4d65be25077bcd591
Instruction Fuzzy Hash: 5C01A135D2011A9BCF04EBA4D8466ADB7B1AF45311F644149F911A72D1CF709D64CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0026DF7E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DF85
std::_Lockit::_Lockit.LIBCPMT ref: 0026DF8F
int.LIBCPMT ref: 0026DFA6

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Facet_Register.LIBCPMT ref: 0026DFE0
std::_Lockit::~_Lockit.LIBCPMT ref: 0026E000
Concurrency::cancel_current_task.LIBCPMT ref: 0026E00D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 518bb19615673cf21c265aa92d81eb621d7631b301658fd0bbeb7765082b3d44
Instruction ID: 06b4802828b83d71c557de0c8d609554edb9dfe9f2661879c006e4034422ad5e
Opcode Fuzzy Hash: 518bb19615673cf21c265aa92d81eb621d7631b301658fd0bbeb7765082b3d44
Instruction Fuzzy Hash: 52012631D2011ADBCF04EF60D84AABEB7B1AF84310F244109F811A72C0CF709D648F85

Uniqueness

Uniqueness Score: -1.00%

Function 002539B0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 286registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!,?), ref: 002539EF
RegQueryValueExW.ADVAPI32(?,SettingV1,00000000,?,?,?), ref: 00253A21
CloseHandle.KERNEL32(?), ref: 00253A2D

Part of subcall function 00222E90: HeapAlloc.KERNEL32(?,00000000,?,?,?,002B2D8C,?,?,00222CBB,80070057), ref: 00222EBB

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Strings

SettingV1, xrefs: 00253A16
Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!, xrefs: 002539E5

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Heap$AllocCloseCreateHandleProcessQueryValue
String ID: SettingV1$Software\Microsoft\Windows\CurrentVersion\Uninstall\Fast!
API String ID: 4251675174-1092914162
Opcode ID: 1fe399d58658acd726094e849ac1b523b257537de7b9105c76ee84d62ede5679
Instruction ID: e51c7b849bbb14ac44e6309395064011fe63dbe4d572b9b23e1da9cebe605802
Opcode Fuzzy Hash: 1fe399d58658acd726094e849ac1b523b257537de7b9105c76ee84d62ede5679
Instruction Fuzzy Hash: ABB19B30621206DFDB44EF6CD969BAEBBF4EF00315F1445ADE40ADB262DB309A188F51

Uniqueness

Uniqueness Score: -1.00%

Function 00262246 Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026224D
std::_Lockit::_Lockit.LIBCPMT ref: 00262257
int.LIBCPMT ref: 0026226E

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

ctype.LIBCPMT ref: 00262291
std::_Lockit::~_Lockit.LIBCPMT ref: 002622C8

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
String ID:
API String ID: 3358926169-0
Opcode ID: 7b6ef0990f2a683de1e7b037ab51782886986ad638235fea79c4a6c0ac729abf
Instruction ID: 6ff96ef87a1d66a0a73f69cf8c94835f83a4501a3115ca8d7e0d7312dd3f7830
Opcode Fuzzy Hash: 7b6ef0990f2a683de1e7b037ab51782886986ad638235fea79c4a6c0ac729abf
Instruction Fuzzy Hash: B2F06D3193061A9BCB04EB64C856BAE7320AF10325FA04608FE15AB1C1DE74DA688F91

Uniqueness

Uniqueness Score: -1.00%

Function 002622DB Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002622E2
std::_Lockit::_Lockit.LIBCPMT ref: 002622EC
int.LIBCPMT ref: 00262303

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

messages.LIBCPMT ref: 00262326
std::_Lockit::~_Lockit.LIBCPMT ref: 0026235D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: 56a45aef86a2ae8f29c704d6a41fb3ed7663a4228a9fedad0a42abb58bccb5df
Instruction ID: a4929f68f357de5503287f0677e73d089414d2152c3e94dbd9eb1a9c5908e948
Opcode Fuzzy Hash: 56a45aef86a2ae8f29c704d6a41fb3ed7663a4228a9fedad0a42abb58bccb5df
Instruction Fuzzy Hash: 2FF0903183061A9BCB04EBA0C856AAE7324AF50321FA44148FD15AB2D1DF749E798F92

Uniqueness

Uniqueness Score: -1.00%

Function 00262370 Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262377
std::_Lockit::_Lockit.LIBCPMT ref: 00262381
int.LIBCPMT ref: 00262398

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

messages.LIBCPMT ref: 002623BB
std::_Lockit::~_Lockit.LIBCPMT ref: 002623F2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: 9493d5d58fa790633ccc976b6b5fd2790625bf8477e3af127104f1d431d28595
Instruction ID: 5620f98bb58808f5bd1ee409a1e7aa666b3fcb50ff6839f00b90ae5041d2daeb
Opcode Fuzzy Hash: 9493d5d58fa790633ccc976b6b5fd2790625bf8477e3af127104f1d431d28595
Instruction Fuzzy Hash: 27F06D3182051A9BCB04EF60D856AAE7360AB10325FA04648FD15AB2C1EF749A6D8B85

Uniqueness

Uniqueness Score: -1.00%

Function 00255E20 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 0025602D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 5fee8f0e370e7693a28b7fa2562723a22d0f6bdad3b03b986c868f738e4c65d0
Instruction ID: 37250042cced0341a99ac1ab5ef715216f224c3beb4829b971ae6d32c1ca0956
Opcode Fuzzy Hash: 5fee8f0e370e7693a28b7fa2562723a22d0f6bdad3b03b986c868f738e4c65d0
Instruction Fuzzy Hash: 4FA10171920606CFCB11CF28C844B6AFBF4FF49314F14876AE845AB791D731A855CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00232190 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002322E5
___std_exception_copy.LIBVCRUNTIME ref: 0023237F
___std_exception_copy.LIBVCRUNTIME ref: 002323A6

Strings

ange, xrefs: 002321DF
$i*, xrefs: 002321C3

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_copy
String ID: $i*$ange
API String ID: 2659868963-1123093404
Opcode ID: 2d857eb6ee80211bfebdcebbfc00f026f35f46827dca301a602eaff182ac49f8
Instruction ID: 12a36bbf71536bc7effba32356168b0a791d049bef1cede72df58f5fb884a2d3
Opcode Fuzzy Hash: 2d857eb6ee80211bfebdcebbfc00f026f35f46827dca301a602eaff182ac49f8
Instruction Fuzzy Hash: 5F61C3B1D202099BDB08CF68DC4569EF7B9FF59310F24831AE419A7741E774A9A4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00266653 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026665A
_Getvals.LIBCPMT ref: 002666AC
_Mpunct.LIBCPMT ref: 002666E7
_Mpunct.LIBCPMT ref: 00266701

Strings

$+xv, xrefs: 0026670C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: d795956b25dfe96853a42a184c5b2cfefe468bcfb1a26858c7cfc4c61a16a0e5
Instruction ID: 89d9028218e695cd96a37f13bc7be72c8eb80a8b4d8dda6337ecee433ff72bfe
Opcode Fuzzy Hash: d795956b25dfe96853a42a184c5b2cfefe468bcfb1a26858c7cfc4c61a16a0e5
Instruction Fuzzy Hash: 2B21AEB1814B52AEDB21DF75C49473BBAF8AB08300F044A1AE499C7A41D734EA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00284B42 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DBCFA47E,?,?,00000000,00295830,000000FF,?,00284B1E,?,?,00284AF2,?), ref: 00284B77
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00284B89
FreeLibrary.KERNEL32(00000000,?,00000000,00295830,000000FF,?,00284B1E,?,?,00284AF2,?), ref: 00284BAB

Strings

mscoree.dll, xrefs: 00284B70
CorExitProcess, xrefs: 00284B81

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7d74a547feed622b255d08307cf3be6fb968a8f3f08e8567bdc9a76be0e181a9
Instruction ID: f508caf6713eb850505cf1508d850e42495c3441153123071363f085cb5e140b
Opcode Fuzzy Hash: 7d74a547feed622b255d08307cf3be6fb968a8f3f08e8567bdc9a76be0e181a9
Instruction Fuzzy Hash: C201A731920616EFCB019F54EC49FAEB7B8FB05714F004626E811E22D0DB749810CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0028AE6F Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0028AEF4
__alloca_probe_16.LIBCMT ref: 0028AFBD
__freea.LIBCMT ref: 0028B024

Part of subcall function 00287805: RtlAllocateHeap.NTDLL(00000000,00000000,00285594,?,0028A6F0,?,00000000,?,002816E3,00000000,00285594,00000004,?,00000000,?,0028538E), ref: 00287837

__freea.LIBCMT ref: 0028B037
__freea.LIBCMT ref: 0028B044

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 51db28484a54b58f54e0a58b0caa15b894be4e9a48b676ad785a420de1ca2a45
Instruction ID: 1702184fb44f55c8db56dd1a43179b9c76da17d623ce2aac859719e864678dcb
Opcode Fuzzy Hash: 51db28484a54b58f54e0a58b0caa15b894be4e9a48b676ad785a420de1ca2a45
Instruction Fuzzy Hash: DA51277A622207AFEB227F60CC85EBB7AA9EF44300B19412DFD14D6181EB35CC709761

Uniqueness

Uniqueness Score: -1.00%

Function 0025C6CD Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025C6D4
std::_Lockit::_Lockit.LIBCPMT ref: 0025C6DE
std::_Lockit::~_Lockit.LIBCPMT ref: 0025C785
Concurrency::cancel_current_task.LIBCPMT ref: 0025C790
__EH_prolog3.LIBCMT ref: 0025C79D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Concurrency::cancel_current_taskLockit::_Lockit::~_
String ID:
API String ID: 845066630-0
Opcode ID: bf9b995c5b500ae97944e21bbe49af8d29f01fd4b6a5a88cec9f02f94d41262f
Instruction ID: 19a06528b8a65f408d22907874055bb56fc70b341ec64092be31be216933c4d1
Opcode Fuzzy Hash: bf9b995c5b500ae97944e21bbe49af8d29f01fd4b6a5a88cec9f02f94d41262f
Instruction Fuzzy Hash: 68319E34A20216EFCB04EF54C895AACF774FF08311F508459ED15AB691DB70AD28CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0025F8AE Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 0025F8CE
_Maklocstr.LIBCPMT ref: 0025F8EB
_Maklocstr.LIBCPMT ref: 0025F908
_Maklocchr.LIBCPMT ref: 0025F91A
_Maklocchr.LIBCPMT ref: 0025F92D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: a4dd0bc2446b4489760ffcdb3cb6656e915db5f900136c023d7a0fb804a4a193
Instruction ID: 1bbec995b31922ca298ff51bac5bdbacd5dac30229ce2afeaa9aef88f0630db8
Opcode Fuzzy Hash: a4dd0bc2446b4489760ffcdb3cb6656e915db5f900136c023d7a0fb804a4a193
Instruction Fuzzy Hash: E0118FB1610784BFE760DBA4D891F13B7ACEB08355F044929F545CBA40D774FC688BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00262405 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026240C
std::_Lockit::_Lockit.LIBCPMT ref: 00262416
int.LIBCPMT ref: 0026242D

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Lockit::~_Lockit.LIBCPMT ref: 00262487

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 4ba1181531219466321b867db34a4f879a4a4377d4aacd41f5e5e18433930b1d
Instruction ID: d77116bd45e163006a074db769c2c59d329870ea186b4a288d3dcac4055e93b0
Opcode Fuzzy Hash: 4ba1181531219466321b867db34a4f879a4a4377d4aacd41f5e5e18433930b1d
Instruction Fuzzy Hash: 9AF09031C3051AABCF04EB60D856AAE7360AF00351FA48508F925AB2D1DF35DE6C8F81

Uniqueness

Uniqueness Score: -1.00%

Function 0026249A Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002624A1
std::_Lockit::_Lockit.LIBCPMT ref: 002624AB
int.LIBCPMT ref: 002624C2

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Lockit::~_Lockit.LIBCPMT ref: 0026251C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 301b0cdb6427872a2539561451c6b30b098d44a18c9abf779d12784562c21880
Instruction ID: 601bbaba12a813d40f015f542ab3c539d0e15c07bd5de467335ec0b064f864d2
Opcode Fuzzy Hash: 301b0cdb6427872a2539561451c6b30b098d44a18c9abf779d12784562c21880
Instruction Fuzzy Hash: 87F09031D3061ADBCF15EB60C856AAE7360AF00325FA04608F915AB2C1DF349EAC8F85

Uniqueness

Uniqueness Score: -1.00%

Function 0026252F Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262536
std::_Lockit::_Lockit.LIBCPMT ref: 00262540
int.LIBCPMT ref: 00262557

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Lockit::~_Lockit.LIBCPMT ref: 002625B1

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 5d1b5b8756f1c7a93dc82b83142acfeb39f0991a4c5114ee16b3c822bfe327c2
Instruction ID: bbd42367d6a7f6352591bb0f616bad52e6691591fc4a84b6a663aa87070f49be
Opcode Fuzzy Hash: 5d1b5b8756f1c7a93dc82b83142acfeb39f0991a4c5114ee16b3c822bfe327c2
Instruction Fuzzy Hash: 43F062319205169BCB18EF60C4566AD7320AB00321FA44508F915AB1C1DE349E688B85

Uniqueness

Uniqueness Score: -1.00%

Function 002625C4 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002625CB
std::_Lockit::_Lockit.LIBCPMT ref: 002625D5
int.LIBCPMT ref: 002625EC

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

std::_Lockit::~_Lockit.LIBCPMT ref: 00262646

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 838a84de786066a37316a97e5e8dd2890fd0647aa59a937048fbf529e30e9f8a
Instruction ID: ffb46df83cf6c0396882a4e47e31955195ef61c1f48c0dae9d0b9fbb9b1a5c2e
Opcode Fuzzy Hash: 838a84de786066a37316a97e5e8dd2890fd0647aa59a937048fbf529e30e9f8a
Instruction Fuzzy Hash: DFF0903183061ADBCF05EF60C856AAE7364AF50311FA44208FA15AB2D1DF34DE698F85

Uniqueness

Uniqueness Score: -1.00%

Function 00262659 Relevance: 7.5, APIs: 5, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00262660
std::_Lockit::_Lockit.LIBCPMT ref: 0026266A
int.LIBCPMT ref: 00262681

Part of subcall function 00242200: std::_Lockit::_Lockit.LIBCPMT ref: 00242211
Part of subcall function 00242200: std::_Lockit::~_Lockit.LIBCPMT ref: 0024222B

moneypunct.LIBCPMT ref: 002626A4
std::_Lockit::~_Lockit.LIBCPMT ref: 002626DB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
String ID:
API String ID: 3160146232-0
Opcode ID: 6268f57d15efddb03c052ebe9f70244b95aa6c80c43846bcd7b65f06c2b82b41
Instruction ID: 83f828f3baf987a135dd0c8cfa89dc4de53c1bfdb94673808655a2f7a643ad66
Opcode Fuzzy Hash: 6268f57d15efddb03c052ebe9f70244b95aa6c80c43846bcd7b65f06c2b82b41
Instruction Fuzzy Hash: BBF08C31D2061A97CF01FBA0C852AEE7325AF50302F904458FA05BB281DF709EA9CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00235870 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00235B35
std::_Throw_Cpp_error.LIBCPMT ref: 00235B53
std::_Throw_Cpp_error.LIBCPMT ref: 00235B5E

Strings

list too long, xrefs: 00235B63

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Mtx_unlock
String ID: list too long
API String ID: 2334871359-1124181908
Opcode ID: 90fe5b023f083e87142eec4ce2fcd3fd149e32aa4d057cf802a1f84ddd674c90
Instruction ID: f6e38293973248fbd4d320a080e45039853d8a0ee5f4aff1f96d38c954ce69f8
Opcode Fuzzy Hash: 90fe5b023f083e87142eec4ce2fcd3fd149e32aa4d057cf802a1f84ddd674c90
Instruction Fuzzy Hash: 2FB139B1A10219EFDB04DFA8D885B9DBBF5EF48310F15816AE909EB351E7709914CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022F9A0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0022FC81
___std_exception_destroy.LIBVCRUNTIME ref: 0022FC90

Strings

, column , xrefs: 0022FAD5, 0022FAEB
at line , xrefs: 0022FA9C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 7befa1d4a086039e6fb270783e58019ee7126698855753a1943e0330deabfc76
Instruction ID: 1063caf2217a7310a24008a6769b0bde4b9cfdc45d7f7f74546a989f31d1ac83
Opcode Fuzzy Hash: 7befa1d4a086039e6fb270783e58019ee7126698855753a1943e0330deabfc76
Instruction Fuzzy Hash: 4F915971A10218AFDB18CF68DD85B9EB7B5EF45300F108279E449E7782DB30AA95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00235DF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00235F86
std::_Throw_Cpp_error.LIBCPMT ref: 00235FB9
std::_Throw_Cpp_error.LIBCPMT ref: 00235FC0

Strings

2, xrefs: 00235F6B

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Mtx_unlock
String ID: 2
API String ID: 2334871359-450215437
Opcode ID: 64db2a2d2467508233210a3ffbabf3c3c92930c70c360614f44e9bb1465c3460
Instruction ID: 44e89282452e873f88ef1e87d98c298480da0530a0d1b3d14c7d2219623be8d8
Opcode Fuzzy Hash: 64db2a2d2467508233210a3ffbabf3c3c92930c70c360614f44e9bb1465c3460
Instruction Fuzzy Hash: A351BFB1A105169FCB14DF68C891AAEB7F9FF49310F14416AE819EB391DB30ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0024F990 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000200,00000000,?,DBCFA47E), ref: 0024F9D5
SetProcessPriorityBoost.KERNEL32(?,00989680,?), ref: 0024FA3B

Strings

\|*, xrefs: 0024F9F3
4), xrefs: 0024FA90

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Process$BoostOpenPriority
String ID: 4)$\|*
API String ID: 1481830850-1633407163
Opcode ID: a836df824a57b6e546e856b0668b3f14781cc67b93f6b43006c007b771242c3f
Instruction ID: 1499164b2f574771dcf2e7775b42fddecc13a030268ec4b377061162a8fcaffe
Opcode Fuzzy Hash: a836df824a57b6e546e856b0668b3f14781cc67b93f6b43006c007b771242c3f
Instruction Fuzzy Hash: 26316B7490130ADFCF18DFA4D948BAEBBB4FF44710F20416AE81AEB650DB74AA54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00266588 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026658F

Part of subcall function 0025F8AE: _Maklocstr.LIBCPMT ref: 0025F8CE
Part of subcall function 0025F8AE: _Maklocstr.LIBCPMT ref: 0025F8EB
Part of subcall function 0025F8AE: _Maklocstr.LIBCPMT ref: 0025F908
Part of subcall function 0025F8AE: _Maklocchr.LIBCPMT ref: 0025F91A
Part of subcall function 0025F8AE: _Maklocchr.LIBCPMT ref: 0025F92D

_Mpunct.LIBCPMT ref: 0026661C
_Mpunct.LIBCPMT ref: 00266636

Strings

$+xv, xrefs: 00266641

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 3750206c0eff50dd19808c861b21719c6876ec39fd14279fefa6cbdfae1d926f
Instruction ID: 589e640980fe79330c5dd38fbbc1d5b8e76b9b2c954cdb97d444978f4bf4b892
Opcode Fuzzy Hash: 3750206c0eff50dd19808c861b21719c6876ec39fd14279fefa6cbdfae1d926f
Instruction Fuzzy Hash: B621B0B1814B926EDB21DF75C49473BBEF8AF08301F044A1AE499C7A41D734EA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0026F557 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026F55E
_Mpunct.LIBCPMT ref: 0026F5EB
_Mpunct.LIBCPMT ref: 0026F605

Strings

$+xv, xrefs: 0026F610

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: eaa489efc579ab87671d244d4e990c47fe93621ad0e8fa616136f22a925b6589
Instruction ID: c572660bb6997c8618ac3ecf47522db38f3d3ea38ffa0259611c3d50f75df390
Opcode Fuzzy Hash: eaa489efc579ab87671d244d4e990c47fe93621ad0e8fa616136f22a925b6589
Instruction Fuzzy Hash: E621B2B1914B56AEDB21DF75D49073BBEF8AB08300F044A1AE49AC7A41D730EA65CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00277042 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00276FF3,?,00000000,00000000,?,?,?,0027711D,00000002,FlsGetValue,0029EBC0,FlsGetValue), ref: 0027704F
GetLastError.KERNEL32(?,00276FF3,?,00000000,00000000,?,?,?,0027711D,00000002,FlsGetValue,0029EBC0,FlsGetValue,?,?,00275E3B), ref: 00277059
LoadLibraryExW.KERNEL32(?,00000000,00000000,000000FF,?,00239CFF,?,?,?,?,?,?,?,?,002392CF,?), ref: 00277081

Strings

api-ms-, xrefs: 00277066

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1d7edd480094ab485853a7e1560db9f29d63a20dd2cd9b6ec6b3b7619e41b147
Instruction ID: c5ea1fb6b823b5a68ea1a743b300c6022bd27e83d56c481607fb96288690c6f8
Opcode Fuzzy Hash: 1d7edd480094ab485853a7e1560db9f29d63a20dd2cd9b6ec6b3b7619e41b147
Instruction Fuzzy Hash: E4E0BF706A4206FBEF202F61EC0BB693F55AF01B54F208421F90DA85E2E771E9709A85

Uniqueness

Uniqueness Score: -1.00%

Function 002925FC Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DBCFA47E,00000000,00000000,?), ref: 0029265F

Part of subcall function 0028A57E: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0028B01A,?,00000000,-00000008), ref: 0028A5DF

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002928B1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002928F7
GetLastError.KERNEL32 ref: 0029299A

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d81eb2b5d0534c27f3d9100087f7f2f3c0facb2c723036ecd7357ed5f5c98087
Instruction ID: 0d299c47f18632f756dad2349cba91c52f9ae5be3dc337132a43a788f6a94eb7
Opcode Fuzzy Hash: d81eb2b5d0534c27f3d9100087f7f2f3c0facb2c723036ecd7357ed5f5c98087
Instruction Fuzzy Hash: 18D18A75D10249EFDF15CFA8D880AEDBBB9FF09310F24412AE856EB251D630A956CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0026356E Relevance: 6.3, APIs: 4, Instructions: 319COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00263575
_strcspn.LIBCMT ref: 002635E0
_strcspn.LIBCMT ref: 00263600
ctype.LIBCPMT ref: 00263670

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 3473dae395467adafb4688ce78c46042cc990af8be4b857bd3d1c07bd8415c2c
Instruction ID: 530fdd9f7bdbd52d375a666ae85d6cbf1cb9b0d8e02ea3781b4f73646ab87333
Opcode Fuzzy Hash: 3473dae395467adafb4688ce78c46042cc990af8be4b857bd3d1c07bd8415c2c
Instruction Fuzzy Hash: 8DC128B5920249DFDF15DF94C981AEEBBB9EF48310F14401AE805A7251D730AEA9CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002638C8 Relevance: 6.3, APIs: 4, Instructions: 319COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002638CF
_strcspn.LIBCMT ref: 0026393A
_strcspn.LIBCMT ref: 0026395A
ctype.LIBCPMT ref: 002639CA

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 984f67ccec2af17a865d90b2ad79f9e347693e4ab22ce9787e54079c50078a9b
Instruction ID: 1393508442c9bd608903b68a607216cb76b4128a554b0ad1af6f69a8c5334f2d
Opcode Fuzzy Hash: 984f67ccec2af17a865d90b2ad79f9e347693e4ab22ce9787e54079c50078a9b
Instruction Fuzzy Hash: 5AC148719202499FDF15DFD8C981AEEBBB9EF48310F14401AE805B7251D730AEA9DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0025BD33 Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0025BD3A
_strcspn.LIBCMT ref: 0025BDA5
_strcspn.LIBCMT ref: 0025BDC5
ctype.LIBCPMT ref: 0025BE35

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: be127f8e20decaaa4d51c830f30e2cc9f9c89d76961171e374d8c0a4dd4781b8
Instruction ID: d93c6b40db20aca8aa19bb94642888a4862c80e4c328c18cd7325b27a6fe626f
Opcode Fuzzy Hash: be127f8e20decaaa4d51c830f30e2cc9f9c89d76961171e374d8c0a4dd4781b8
Instruction Fuzzy Hash: 0AC18D71D20209DFDF15DFA4C981AEEBBB9EF48311F244019E805AB251D730AE69CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0023D300 Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0023D381
__Mtx_unlock.LIBCPMT ref: 0023D3B3
std::_Throw_Cpp_error.LIBCPMT ref: 0023D4EB
std::_Throw_Cpp_error.LIBCPMT ref: 0023D4F9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorMtx_unlockThrow_std::_
String ID:
API String ID: 2243708590-0
Opcode ID: 8bc337d805e677e948484c21d1597021c1fb02ca0983633b341e9e3ed07b35de
Instruction ID: 3dd45b8952d86b03626bb0d0c8ea852f6e80cbdaffee8aaaffa3ce8be0ae25cf
Opcode Fuzzy Hash: 8bc337d805e677e948484c21d1597021c1fb02ca0983633b341e9e3ed07b35de
Instruction Fuzzy Hash: 776100B1A1020ADFCB10DF68D881BAEFBB4FF05314F14825DE9199B381DB75A924CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0023FC10 Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0023FC91
__Mtx_unlock.LIBCPMT ref: 0023FCC3
std::_Throw_Cpp_error.LIBCPMT ref: 0023FDFB
std::_Throw_Cpp_error.LIBCPMT ref: 0023FE09

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorMtx_unlockThrow_std::_
String ID:
API String ID: 2243708590-0
Opcode ID: 6dd66306e5ebc7a004edd4cefba16f199c451d53fa76020a328ce9aa1f5983a4
Instruction ID: 5dbfe81ae2bb217a98889dd557af23d9ad7228596381ac19973df56b8d808c62
Opcode Fuzzy Hash: 6dd66306e5ebc7a004edd4cefba16f199c451d53fa76020a328ce9aa1f5983a4
Instruction Fuzzy Hash: 566122B0A1020ADFCB10DF58D841B6EFBB4EF04314F14826DE9199B381DB35A914CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00275F31 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00275FF8
___AdjustPointer.LIBCMT ref: 0027601B
___AdjustPointer.LIBCMT ref: 002760B7

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f7f4ecc24c28806862996452e1fad8d5335bdf6569873eb0eb7a09679f0f2cdc
Instruction ID: 9215b37a6e04573ce5ecc0887b027a69c3850a0894426271b810162baa8f50b7
Opcode Fuzzy Hash: f7f4ecc24c28806862996452e1fad8d5335bdf6569873eb0eb7a09679f0f2cdc
Instruction Fuzzy Hash: D051D4B1620A17AFEB299F10D449BBAB7A4FF05310F14C12DE80987A91E771ED70DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00289932 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a83e33ee7fb22da0e0417008987643a874fd93211c0a185256a52957b738d7
Instruction ID: c5607975328efebbf046dc57d5eec046f071626dbca246c098963d5247a43083
Opcode Fuzzy Hash: a2a83e33ee7fb22da0e0417008987643a874fd93211c0a185256a52957b738d7
Instruction Fuzzy Hash: 3141F776A20645AFD714BF3CCC41BBABBE8EB88710F14452EF115DB6C1D67199A08B80

Uniqueness

Uniqueness Score: -1.00%

Function 002374D0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00237531
__Mtx_unlock.LIBCPMT ref: 00237563
std::_Throw_Cpp_error.LIBCPMT ref: 0023769B
std::_Throw_Cpp_error.LIBCPMT ref: 002376A9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Cpp_errorMtx_unlockThrow_std::_
String ID:
API String ID: 2243708590-0
Opcode ID: df3a332b4f61314035ccb3f9efff6fe32dd03058aa44c3532f24081383e8b0a4
Instruction ID: aac4bf70f7f3309214fcbe3a3b1e39092fc375f6c7448c1f761e7cc89a7c0671
Opcode Fuzzy Hash: df3a332b4f61314035ccb3f9efff6fe32dd03058aa44c3532f24081383e8b0a4
Instruction Fuzzy Hash: CD4113B0A11206DFDF14DF68C842BAEBBF4EF05314F148259E809AB382DB71A954CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0023BAA0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0023BB21

Part of subcall function 0023C830: WinHttpConnect.WINHTTP(?,C08504C4,000001BB,00000000,DBCFA47E,000003E8,?,?,?,0023BB34,?), ref: 0023C882
Part of subcall function 0023C830: GetTickCount64.KERNEL32 ref: 0023C8C3
Part of subcall function 0023C830: WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,00800000), ref: 0023C904
Part of subcall function 0023C830: WinHttpSetTimeouts.WINHTTP(00000000,00002710,00002710,00002710,00002710), ref: 0023C925
Part of subcall function 0023C830: WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34,?), ref: 0023C936
Part of subcall function 0023C830: WinHttpCloseHandle.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,0023BB34,?), ref: 0023C93B

__Mtx_unlock.LIBCPMT ref: 0023BB8C
std::_Throw_Cpp_error.LIBCPMT ref: 0023BBF3
std::_Throw_Cpp_error.LIBCPMT ref: 0023BC01

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Http$CloseCpp_errorHandleMtx_unlockThrow_std::_$ConnectCount64OpenRequestTickTimeouts
String ID:
API String ID: 186550968-0
Opcode ID: e49b02e8f84d4121ab0d78956cc0415bc4efc2c5c4edae8bdfd82abfdc2f3255
Instruction ID: 41bdb8972ff3f8bbdf261e561492194b9a9cd34bb05e50b4bbf302310453c048
Opcode Fuzzy Hash: e49b02e8f84d4121ab0d78956cc0415bc4efc2c5c4edae8bdfd82abfdc2f3255
Instruction Fuzzy Hash: C341F7B1A10605CFCB11DF68C845B5AB3B5EF05324F044669ED26972D1DF70E924CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002424F0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00242534
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0024257C
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002425B1
std::_Lockit::~_Lockit.LIBCPMT ref: 00242646

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 1143662833-0
Opcode ID: 922ba1146e01977ed5024cc73621067f296476698ed826ddd05fe3eadab6a62d
Instruction ID: 87bf124cb16d187d697ebb0016b499fc09ad57e6f4c9b7d3998d43eff0f915cc
Opcode Fuzzy Hash: 922ba1146e01977ed5024cc73621067f296476698ed826ddd05fe3eadab6a62d
Instruction Fuzzy Hash: 084150B0D24349CBEB10DFE5C94579EBBF8AF14304F14852AE809A7282EB74A518CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002824B5 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2d75775aa0d949f466012a1151555f1a7e5e31e01121e06a1746e32abc7467
Instruction ID: b51758b42f9ca437cf88634f63cb8abefcc00e7f89c741a9c9081837d519b876
Opcode Fuzzy Hash: 7a2d75775aa0d949f466012a1151555f1a7e5e31e01121e06a1746e32abc7467
Instruction Fuzzy Hash: A9212375AA2206EFDB24BF74DC6092A77A9FF003247908125FD19D7190EB34ED748BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00259E79 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00259DDA: GetModuleHandleExW.KERNEL32(00000002,00000000,?,?,?,00259E2C,00000014,?,00259E6D,00000014,?,00238745,00000000,00000014,?,DBCFA47E), ref: 00259DE6

__Mtx_unlock.LIBCPMT ref: 00259EBA
FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,DBCFA47E,?,?,?,00295830,000000FF), ref: 00259EE0
__Mtx_unlock.LIBCPMT ref: 00259F16
__Cnd_broadcast.LIBCPMT ref: 00259F25

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
String ID:
API String ID: 420990631-0
Opcode ID: 9fffe9458732e3d15229f1a2793a4bbf5e58a1b4a94e4a0a133fb2755a0b84c6
Instruction ID: 395031a84845dd7d960d5f996d5195fdcd69d993ca48816e64030d3b1f701b75
Opcode Fuzzy Hash: 9fffe9458732e3d15229f1a2793a4bbf5e58a1b4a94e4a0a133fb2755a0b84c6
Instruction Fuzzy Hash: 60113432A24601EBCB217F25AC0AA6E77B8EB42B21F14441AFD0597290CF34D8A1CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0028133B Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00251D90,002811DD,00000000,00000004,00000000), ref: 0028138A
GetLastError.KERNEL32(?,?,?,00251FC9,00251D90), ref: 00281396
__dosmaperr.LIBCMT ref: 0028139D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 6d37950f8c58f2f11103eaef8b0be7c2448cb8ab9f1c7170788d77fbd768090a
Instruction ID: e65296c6c834f50f5f504d66dd82a1c8b2bf7515a9be6bf440feb0824b09f336
Opcode Fuzzy Hash: 6d37950f8c58f2f11103eaef8b0be7c2448cb8ab9f1c7170788d77fbd768090a
Instruction Fuzzy Hash: 5A014E76821204FBDB007FA4DC09B9E7A6CEF81371F204255F924960D0DB708A72DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023A690 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0023A69C
GetForegroundWindow.USER32 ref: 0023A6A4
GetCursorPos.USER32(?), ref: 0023A6BA
WindowFromPoint.USER32(?,?), ref: 0023A6CA

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Window$ActiveCursorForegroundFromPoint
String ID:
API String ID: 4205958593-0
Opcode ID: 8bf7c3fd3f7d24cce2f5af8fb570a346d402338dd1843a8494987e35ee86f113
Instruction ID: aa5395278a0106fb01def1d930f8cbda2a712ab10e233c161703eb8c945b6ab1
Opcode Fuzzy Hash: 8bf7c3fd3f7d24cce2f5af8fb570a346d402338dd1843a8494987e35ee86f113
Instruction Fuzzy Hash: 9E01F776D102195BCF209FBAA88949DFBACEE45311B1942BBEC48E3210DB318C505E91

Uniqueness

Uniqueness Score: -1.00%

Function 0025A31B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025A322
std::_Lockit::_Lockit.LIBCPMT ref: 0025A32D
std::_Lockit::~_Lockit.LIBCPMT ref: 0025A39B

Part of subcall function 0025A4AD: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0025A4C5

std::locale::_Setgloballocale.LIBCPMT ref: 0025A348

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 4da4b32e919b16578943267abda2f06c3372f20848c6a854da107796f49a41ed
Instruction ID: 8faa69bb21f7ffcf9e4e146b92112a778a7db0e48f7da768350d0ae4fa36b6f7
Opcode Fuzzy Hash: 4da4b32e919b16578943267abda2f06c3372f20848c6a854da107796f49a41ed
Instruction Fuzzy Hash: 5601D475A201129BCB05EF60E84A57C77A1BFC5310B648149ED1A57381CF346E6ADFCA

Uniqueness

Uniqueness Score: -1.00%

Function 00280F5F Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,00281050,?), ref: 00280F6A
GetLastError.KERNEL32(?,00281050,?), ref: 00280F74
__dosmaperr.LIBCMT ref: 00280F7B
GetCurrentDirectoryW.KERNEL32(?,?,?,?,00281050,?), ref: 00280FA2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast__dosmaperr
String ID:
API String ID: 1554857224-0
Opcode ID: 13746cb8c22647c1d934262c062738d33fac2ac613efbf68b1bd6ff86847fa53
Instruction ID: be71a69e11510c68b2e9d1cd6d6c5f2eed499ddc452f1b95d92968e2eccfc0ce
Opcode Fuzzy Hash: 13746cb8c22647c1d934262c062738d33fac2ac613efbf68b1bd6ff86847fa53
Instruction Fuzzy Hash: CBF05E356256029FDB70BF71E8489577BA9FF20350360C929B66AC2960DF70E8308B50

Uniqueness

Uniqueness Score: -1.00%

Function 002949FA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00293D3E,00000000,00000001,00000000,?,?,002929EE,?,00000000,00000000), ref: 00294A11
GetLastError.KERNEL32(?,00293D3E,00000000,00000001,00000000,?,?,002929EE,?,00000000,00000000,?,?,?,00292F91,00000000), ref: 00294A1D

Part of subcall function 002949E3: CloseHandle.KERNEL32(FFFFFFFE,00294A2D,?,00293D3E,00000000,00000001,00000000,?,?,002929EE,?,00000000,00000000,?,?), ref: 002949F3

___initconout.LIBCMT ref: 00294A2D

Part of subcall function 002949A5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002949D4,00293D2B,?,?,002929EE,?,00000000,00000000,?), ref: 002949B8

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00293D3E,00000000,00000001,00000000,?,?,002929EE,?,00000000,00000000,?), ref: 00294A42

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5fd63681a29f3bf67d6f1a73a6d5bfe57c5a9301a2141c00bc6c9c1ab5ca68cb
Instruction ID: ab180823ee29fc6f7e1661496ee9a72876d5cd43f690cb7ba99b94b5eb07d904
Opcode Fuzzy Hash: 5fd63681a29f3bf67d6f1a73a6d5bfe57c5a9301a2141c00bc6c9c1ab5ca68cb
Instruction Fuzzy Hash: B9F01C36120129BFCF222F91EC0AE8E3F26FB083A0F504111FA1896120D63288719B90

Uniqueness

Uniqueness Score: -1.00%

Function 0028DA46 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

HQ+, xrefs: 0028DD18
HQ+, xrefs: 0028DA72

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: HQ+$HQ+
API String ID: 0-3314438243
Opcode ID: 47f1f37ef651af02d172a968ae27b8a337c4a8d75022e3e564fb830c071c6996
Instruction ID: ab14eda929f9e15b80c7886368af60c68eebd66e536fc63deab582ad5e33ec21
Opcode Fuzzy Hash: 47f1f37ef651af02d172a968ae27b8a337c4a8d75022e3e564fb830c071c6996
Instruction Fuzzy Hash: A2B17A76951205AEEB21EFA4CC82FEB77FCAB48700F150556FA15EB1C2EA70D914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0022FCB0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002300AB

Strings

parse error, xrefs: 0022FDA4, 0022FDC0
ror, xrefs: 0022FCFD

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 6c146a442a53bbf44c5524cd72117f5d77a0724f2ac0f8c4b09d4f810a5207ae
Instruction ID: 74b925f00c50f183dab4e8c2889d5bfd2c5ba6c679c3e402a355b558a87e2717
Opcode Fuzzy Hash: 6c146a442a53bbf44c5524cd72117f5d77a0724f2ac0f8c4b09d4f810a5207ae
Instruction Fuzzy Hash: D4D10471D202489FEB18CF68CD85B9DBB71BF45300F2482A8E418AB782D7746A95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0027F9FE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0027FB75

Strings

+, xrefs: 0027FAD3
-, xrefs: 0027FAC6

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 40e3caee3db8c548ff2f3e9eb6720e7d1b8bc5dcab7563644ae315c5b0c3fc7c
Instruction ID: d45e0820d41f2526d9f642be9070d7b962a21c5e1fe939505587475321dadb8a
Opcode Fuzzy Hash: 40e3caee3db8c548ff2f3e9eb6720e7d1b8bc5dcab7563644ae315c5b0c3fc7c
Instruction Fuzzy Hash: FCA1F4309282199ECF95CE78CA607FE7BA1EF59324F14C56AECAC9B381D234D9119B50

Uniqueness

Uniqueness Score: -1.00%

Function 0022C1FB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: array
API String ID: 0-2701979319
Opcode ID: 794e96e3d9ad664a4e700f510dbd97015cb1d0c86947ed13c17fd73d64a6dde7
Instruction ID: fe500bfd47e079270f2d57befa80b780836f094eb7c1e6741c25b5d7ea1dd00b
Opcode Fuzzy Hash: 794e96e3d9ad664a4e700f510dbd97015cb1d0c86947ed13c17fd73d64a6dde7
Instruction Fuzzy Hash: 40B1BE71D20268AFDB15CFA4DC84BADBB75BF45300F24C29AE449A7741DB306A94CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0022C456 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: array
API String ID: 0-2701979319
Opcode ID: 3bb876c63d09ff6a75f4d81c01b12df7144aad931a90c898eacabe3f9cd645ce
Instruction ID: 02d6d25a130b01858fc063fa5efd491d468f9bc69da527c8a2bba207d8b2479a
Opcode Fuzzy Hash: 3bb876c63d09ff6a75f4d81c01b12df7144aad931a90c898eacabe3f9cd645ce
Instruction Fuzzy Hash: 30B1B071D202699FDB19CF64DC84BEDBBB5BF49300F248299E449A7741DB30AAA4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0022C5A7 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: array
API String ID: 0-2701979319
Opcode ID: d3ad8b9431425c96cceccb08dec8d8afe6faa8177c0f797b0fe64fafd7c41b41
Instruction ID: 64336292ac4daa8d67a93268eee335ce3b45d3cc602eba7829489ec8de01f531
Opcode Fuzzy Hash: d3ad8b9431425c96cceccb08dec8d8afe6faa8177c0f797b0fe64fafd7c41b41
Instruction Fuzzy Hash: 4EB1D271D20268AFDB14CFA4DC84BADFBB5BF45300F248299E449A7742DB30A994CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002213C8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

a=configList&guid=%ws&version=%ws, xrefs: 002213CA
/api/fast.php, xrefs: 002214E9, 00221500

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionVariableWake
String ID: /api/fast.php$a=configList&guid=%ws&version=%ws
API String ID: 4258034872-3678868694
Opcode ID: 175fd5baf3f0d8af53ca7bfb8b82634169c7289d4470ab82c093c9da1b69cfda
Instruction ID: 0bf01030d1849c265c202a624aa1937ad03cb2c4406848154c2e2885cc0ae368
Opcode Fuzzy Hash: 175fd5baf3f0d8af53ca7bfb8b82634169c7289d4470ab82c093c9da1b69cfda
Instruction Fuzzy Hash: 11B1AFB0D11245EFDB00DFE8E885B9DFBB0AF55310F188259E805AB392DB759928CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0022C11C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0022C845
___std_exception_destroy.LIBVCRUNTIME ref: 0022C858
___std_exception_destroy.LIBVCRUNTIME ref: 0022D458
___std_exception_destroy.LIBVCRUNTIME ref: 0022D46B

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: array
API String ID: 4194217158-2701979319
Opcode ID: db53bf50ed18b50dcf7ba0a7fcad828eeb30ae072b01745fdf88e2108b3556de
Instruction ID: 414bcec13709d9354e55d0426d9188434cd36dff5f2ec397568c80b7afb2b399
Opcode Fuzzy Hash: db53bf50ed18b50dcf7ba0a7fcad828eeb30ae072b01745fdf88e2108b3556de
Instruction Fuzzy Hash: 72A12331D20268ABDB18CFA4EC84BADFB75BF45300F248299D409A7781DB745AA4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0022C159 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID:
String ID: array
API String ID: 0-2701979319
Opcode ID: a48c709ba83beceea37a8dd6727b5da227246d3bd6e73e0ac05811bba8a9f7ec
Instruction ID: ca82283a3ec6bf7cbfcb483af9fe986c364691a8da26b2985329cd2cc555f53b
Opcode Fuzzy Hash: a48c709ba83beceea37a8dd6727b5da227246d3bd6e73e0ac05811bba8a9f7ec
Instruction Fuzzy Hash: 9A811871D20268AFDB18CFA4EC84BADB775BF41300F2482A9E409E7781DB345AA4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00232450 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00232585

Strings

$i*, xrefs: 0023259F
cannot use at() with , xrefs: 00232461, 00232616

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: $i*$cannot use at() with
API String ID: 118556049-79509838
Opcode ID: fef46247b25ef9e459976774fe36f104ff994edcef87caf7666bb8b0e2c2979c
Instruction ID: 9182abee27507506c209b8a0d97443158f77f565f6bd8a980daeb3db1d58f67f
Opcode Fuzzy Hash: fef46247b25ef9e459976774fe36f104ff994edcef87caf7666bb8b0e2c2979c
Instruction Fuzzy Hash: B761FCB2620215EBCB18DF68C88165EB7A9FF44340F504269FD05D7201E771EE648BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0022C597 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0022C845
___std_exception_destroy.LIBVCRUNTIME ref: 0022C858

Strings

array, xrefs: 0022C75E

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: array
API String ID: 4194217158-2701979319
Opcode ID: 100b28e47a08051755ec86248117fc4f7688a3c7bd7558914084aaf7baed44c5
Instruction ID: 39d3c108d3a8bc15354f85aab22221a650bfa9cb2b16f5388abc0406ad33eb42
Opcode Fuzzy Hash: 100b28e47a08051755ec86248117fc4f7688a3c7bd7558914084aaf7baed44c5
Instruction Fuzzy Hash: 64614971D20268ABDF18DFA8EC98BADB775BF41300F248269E405E7781DB3459A4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0027146D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 002715D1

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00271537, 0027156E, 00271573
-, xrefs: 00271602

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 26d3e8c14d586a3535d923269072a36fa9675e59ef6b8bee8ef9343ca06c319f
Instruction ID: 1ba54442e8267f1f7e94e41021e0298e55c378d64b9e3a4952ee13c2ddf5b03d
Opcode Fuzzy Hash: 26d3e8c14d586a3535d923269072a36fa9675e59ef6b8bee8ef9343ca06c319f
Instruction Fuzzy Hash: FA510974F342469BDF298E6D84917BEBBF99F85310F58C05AE489D7241C27089718B50

Uniqueness

Uniqueness Score: -1.00%

Function 0026BC49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026BC50
swprintf.LIBCMT ref: 0026BCC8

Part of subcall function 00262246: __EH_prolog3.LIBCMT ref: 0026224D
Part of subcall function 00262246: std::_Lockit::_Lockit.LIBCPMT ref: 00262257
Part of subcall function 00262246: int.LIBCPMT ref: 0026226E

Part of subcall function 0025E9AF: _wmemset.LIBCMT ref: 0025E9D9

Strings

%.0Lf, xrefs: 0026BCC0

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::__wmemsetstd::_swprintf
String ID: %.0Lf
API String ID: 2528782737-1402515088
Opcode ID: 80849512870fc59264189c7dd4a6b971d31eb02cb81ac3fdeca8bed5f2aa5918
Instruction ID: d1554bf17b35e5015881fd70a9ef7f394779e3c3eb538b269e8cf9e14c5833cc
Opcode Fuzzy Hash: 80849512870fc59264189c7dd4a6b971d31eb02cb81ac3fdeca8bed5f2aa5918
Instruction Fuzzy Hash: 22512971D10218EBCF0ADFE4D885ADDBBB9BB08300F10441AE906AB2A5DB7559A5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0026BF42 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026BF49
swprintf.LIBCMT ref: 0026BFC1

Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 0025606D
Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 00256090
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 002560B0
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 0025613D

Part of subcall function 0025EA37: _wmemset.LIBCMT ref: 0025EA61

Strings

%.0Lf, xrefs: 0026BFB9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__wmemsetswprintf
String ID: %.0Lf
API String ID: 1581600354-1402515088
Opcode ID: 8189e60623e097baa7fb0db208fcdfce7cfab1e159747b9abb2c8dd88518ebec
Instruction ID: 760a1bfa78726a4efa7616128e7bee07e7529d2214101a30658b45638424d910
Opcode Fuzzy Hash: 8189e60623e097baa7fb0db208fcdfce7cfab1e159747b9abb2c8dd88518ebec
Instruction Fuzzy Hash: EB513B71D20218EBCF09DFE4D845AEDBBB9FB08300F204459F506AB2A5DB755969CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00270E2B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00270E32
swprintf.LIBCMT ref: 00270EAA

Part of subcall function 0025B91D: __EH_prolog3.LIBCMT ref: 0025B924
Part of subcall function 0025B91D: std::_Lockit::_Lockit.LIBCPMT ref: 0025B92E
Part of subcall function 0025B91D: int.LIBCPMT ref: 0025B945
Part of subcall function 0025B91D: std::_Lockit::~_Lockit.LIBCPMT ref: 0025B99F

Strings

%.0Lf, xrefs: 00270EA2

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_swprintf
String ID: %.0Lf
API String ID: 2994408256-1402515088
Opcode ID: e5caa33569a012214464326fe9acf68caee4585bf53098e48f6c9351ad7566ec
Instruction ID: 107e0fa242eb6e41ef1ef847ca699725553c3304de2f476f25593d2728b359a5
Opcode Fuzzy Hash: e5caa33569a012214464326fe9acf68caee4585bf53098e48f6c9351ad7566ec
Instruction Fuzzy Hash: 56516C71D20219EBCF09DFE4D885ADDBBB5FF08300F108419E50AAB2A5DB759968CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00229820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0022A93C
___std_exception_destroy.LIBVCRUNTIME ref: 0022A955

Strings

value, xrefs: 0022A855

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: b40d391af2f02f83ac24ad2e9ef6bf5a1229e39116baf46df1893a04f2103ad3
Instruction ID: 1b9233fdca4befb0212ed3a1ee5e99e72abf5454a831751b5632503fa3a220bf
Opcode Fuzzy Hash: b40d391af2f02f83ac24ad2e9ef6bf5a1229e39116baf46df1893a04f2103ad3
Instruction Fuzzy Hash: 8C51C2B0C10258DFDF14DFA8DC85B9EBBB8AF45300F148169E449A7782D7745A98CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00221350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Concurrency::cancel_current_task.LIBCPMT ref: 0022172D

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

Strings

a=configList&guid=%ws&version=%ws, xrefs: 002213B3
/api/fast.php, xrefs: 002214E9

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFindHeapProcessResource
String ID: /api/fast.php$a=configList&guid=%ws&version=%ws
API String ID: 34585105-3678868694
Opcode ID: 684833da8a4ae3017cec17647ff1ad5f294dfed0cc0c992890efa7a4cb7b2b16
Instruction ID: 31dd47b1b197ad50c216a98a179e5e86a9680cc098ff0fbcbc91746b2389f20e
Opcode Fuzzy Hash: 684833da8a4ae3017cec17647ff1ad5f294dfed0cc0c992890efa7a4cb7b2b16
Instruction Fuzzy Hash: 3141F570910259FFDB00EFE8D859BAEBBB4EF01304F144159E905BB242DB759A28CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0023B820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002230C0: GetProcessHeap.KERNEL32 ref: 002230EC

Part of subcall function 002222E0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00221170,/pixel.gif,?,80004005,DBCFA47E,00000000,0029768F,000000FF), ref: 0022231A

WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000,WinHTTP 1.0), ref: 0023B95F
WinHttpSetTimeouts.WINHTTP(00000000,00002710,00002710,00002710,00002710), ref: 0023B983

Strings

WinHTTP 1.0, xrefs: 0023B92B, 0023B942

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Http$FindHeapOpenProcessResourceTimeouts
String ID: WinHTTP 1.0
API String ID: 3179746780-2851767304
Opcode ID: 72871242f8c847b85c8279214dbcefb652ce6ef2012566bef903285e022dfd35
Instruction ID: f624cd6e30bea1304b474dd418ec14f6d388870bcd2de48fd429cd1db8f19f57
Opcode Fuzzy Hash: 72871242f8c847b85c8279214dbcefb652ce6ef2012566bef903285e022dfd35
Instruction Fuzzy Hash: 7641C170524340FFE700EF6CEC5AB497BE0EF01300F148659E918AB2D2DBB695188F91

Uniqueness

Uniqueness Score: -1.00%

Function 0028E644 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002877CB: RtlFreeHeap.NTDLL(00000000,00000000,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877E1
Part of subcall function 002877CB: GetLastError.KERNEL32(?,?,0028E046,?,00000000,?,?,0028E2E7,?,00000007,?,?,0028E7DB,?,?), ref: 002877EC

___free_lconv_mon.LIBCMT ref: 0028E688

Strings

HQ+, xrefs: 0028E65A
8S+, xrefs: 0028E730

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: 8S+$HQ+
API String ID: 4068849827-1680744771
Opcode ID: 5ea85e572ae635a60d2d0085634b37645a149954a38143898bb9dac78f2333a3
Instruction ID: 9c68a5a58801dddd4d2ef991bdb0ae660189d9abbc925aece6e8afdec40ef9b2
Opcode Fuzzy Hash: 5ea85e572ae635a60d2d0085634b37645a149954a38143898bb9dac78f2333a3
Instruction Fuzzy Hash: 25315C39626602AFFF20BE38D885B5AB3E8AF44754F214819F155D61E1EB30ED60CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0027652D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00276552

Strings

MOC, xrefs: 00276564
RCC, xrefs: 0027656C

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7dd0c917727799a497d81dc26acc4868ebc5bbba98e73f87e8d1a740cdd2f4eb
Instruction ID: 7ec090e53a2faf58790115faffadd394a369fc98b5fd8f388e4a82e0328a444d
Opcode Fuzzy Hash: 7dd0c917727799a497d81dc26acc4868ebc5bbba98e73f87e8d1a740cdd2f4eb
Instruction Fuzzy Hash: 6D418A7190060AAFCF15CF98CC85AAEBBB9FF48300F588099FA0867215D335AA60DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00270CFF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00270D06

Part of subcall function 0025B91D: __EH_prolog3.LIBCMT ref: 0025B924
Part of subcall function 0025B91D: std::_Lockit::_Lockit.LIBCPMT ref: 0025B92E
Part of subcall function 0025B91D: int.LIBCPMT ref: 0025B945
Part of subcall function 0025B91D: std::_Lockit::~_Lockit.LIBCPMT ref: 0025B99F

Strings

0123456789-, xrefs: 00270D51
0123456789-, xrefs: 00270D56

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2728201062-2494171821
Opcode ID: ce1610869a6f69ca10053bb80c0502177d5457d3ef4bdb36e225da063b0d07e1
Instruction ID: 1d5ea06889211ac3b7681427df651343a1c945a6b7f5d8e8f69c051a9275165a
Opcode Fuzzy Hash: ce1610869a6f69ca10053bb80c0502177d5457d3ef4bdb36e225da063b0d07e1
Instruction Fuzzy Hash: 2E416C31910219EFCF15DFE4D891AEEBBB5EF08310F10405AF815A7251DB31AA6ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0026BB1B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026BB22

Part of subcall function 00262246: __EH_prolog3.LIBCMT ref: 0026224D
Part of subcall function 00262246: std::_Lockit::_Lockit.LIBCPMT ref: 00262257
Part of subcall function 00262246: int.LIBCPMT ref: 0026226E

Strings

%.0Lf, xrefs: 0026BB6D
0123456789-, xrefs: 0026BB72

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::_std::_
String ID: %.0Lf$0123456789-
API String ID: 79917597-3094241602
Opcode ID: e16a9c5000193f56eb908a7f0a19d31086d7ce97623007afcfbeb996fa02901a
Instruction ID: 7cde64668753d9f4cdb0d73e253ffbba691cec1f1dd3e7ae88bed964cc2863de
Opcode Fuzzy Hash: e16a9c5000193f56eb908a7f0a19d31086d7ce97623007afcfbeb996fa02901a
Instruction Fuzzy Hash: 71415D31920219DFCF16DFE4D8819EDBBB5FF09314F14015AE805AB255DB309AAACB94

Uniqueness

Uniqueness Score: -1.00%

Function 0026BE14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026BE1B

Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 0025606D
Part of subcall function 00255E20: std::_Lockit::_Lockit.LIBCPMT ref: 00256090
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 002560B0
Part of subcall function 00255E20: std::_Lockit::~_Lockit.LIBCPMT ref: 0025613D

Strings

0123456789-, xrefs: 0026BE6B
0123456789-, xrefs: 0026BE66

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 6fd655e9543728c010da41eef115a2468f5c3c35ed3995f287c1e85e2479d6a7
Instruction ID: 1e693eb0de4a1e599044e768833a66082ac7c4dbe9ca528178f9210dcae9d185
Opcode Fuzzy Hash: 6fd655e9543728c010da41eef115a2468f5c3c35ed3995f287c1e85e2479d6a7
Instruction Fuzzy Hash: C5417F31920119DFCF1ADFA4D8819EE7BB5FF09310F504059F901AB251DB319AAACF94

Uniqueness

Uniqueness Score: -1.00%

Function 00235390 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000200,00000000,?,DBCFA47E,?), ref: 002353D6
SetPriorityClass.KERNEL32(?,00989680,?), ref: 00235443

Strings

4i*, xrefs: 002353FB

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ClassOpenPriorityProcess
String ID: 4i*
API String ID: 4075284795-3014102374
Opcode ID: c82056c46ae82363b6e33686d66edcdc64e8d54da176403eace625804f6132e0
Instruction ID: af32805d136870b50adbceb9a3cd78367c80db5b1ce0c4857f8b966f5bb54869
Opcode Fuzzy Hash: c82056c46ae82363b6e33686d66edcdc64e8d54da176403eace625804f6132e0
Instruction Fuzzy Hash: DD3184B190170ADFCF14DFA0D849BEEBBB4FF04301F10812AE919AB651DB74AA94CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0026D12F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026D136
__cftoe.LIBCMT ref: 0026D1C9

Strings

!%x, xrefs: 0026D144

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: b5f85744055054646971fdcb6670c435d9f790b1ac429898071028c7e2164659
Instruction ID: ce0f3a9bff95c068c7003ee015ff2b8ae0f0d59e70f75f3531b636d06595cc33
Opcode Fuzzy Hash: b5f85744055054646971fdcb6670c435d9f790b1ac429898071028c7e2164659
Instruction Fuzzy Hash: 87315C71E21209EBDF04DFA4D981AEEB7B2FF48304F108069F905AB251D770AE65CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00257560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00257623

Strings

ios_base::failbit set, xrefs: 00257601
ios_base::badbit set, xrefs: 00257568

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 3277d3f22da967cc310c6e7c1c2e0ad04b7eaff4243507abca9a96fda6ee4f22
Instruction ID: 09cdf4e0da3b81b7ad72e3efe3021782e084a18e0c8f4574c8ebf9349fb9c9c1
Opcode Fuzzy Hash: 3277d3f22da967cc310c6e7c1c2e0ad04b7eaff4243507abca9a96fda6ee4f22
Instruction Fuzzy Hash: 1A212BB2914214ABC7109F58EC40B5AF7ECFB45361F20026AFC19D7380E7719A24CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00242340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0024236B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002423BA

Strings

bad locale name, xrefs: 002423D6

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 6c2458430ea281cb0a88b819c4f1039da53ed523f3c593d4bc18548c4fe822fb
Instruction ID: 38e6aba7e132af83c27c37728a8d59f2ebe5865b8bd76db433f6915a3ac1ce1e
Opcode Fuzzy Hash: 6c2458430ea281cb0a88b819c4f1039da53ed523f3c593d4bc18548c4fe822fb
Instruction Fuzzy Hash: EE11B4719247409FD320CF69D801B47BBE8EF19710F108A5EE889D7B80E7B4A504CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 002598D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00259960
RaiseException.KERNEL32(?,?,?,?), ref: 00259985

Part of subcall function 0027441A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?), ref: 0027447A

Part of subcall function 0027FE2F: IsProcessorFeaturePresent.KERNEL32(00000017,00277352,?,002772C1,00000004,?,002774D0,?,?,?,?,?,00000000,?,?), ref: 0027FE07

Strings

csm, xrefs: 00259914

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: 62cc7e1e7a42e19b1e47b6ac591c6ffba27d9a1acc40536b4f144b3594c94d60
Instruction ID: 49757b06628d9299df75ea5408d974006754419d44b8a90db82b4e5f05445058
Opcode Fuzzy Hash: 62cc7e1e7a42e19b1e47b6ac591c6ffba27d9a1acc40536b4f144b3594c94d60
Instruction Fuzzy Hash: 8221CF31C20219DBCF24DF94C941AAEB7B9BF01311F54441DE80AAB110DB30ADA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0025C32C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0025C333

Strings

false, xrefs: 0025C38A
true, xrefs: 0025C39D

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 487690a27203557d7de236831fb1ea98bf46d47ae60efaabe2f161676047889d
Instruction ID: a0285edcdcee5333d44c6696e592eceb0352ede8969b9850c3c1416ba76ceb9d
Opcode Fuzzy Hash: 487690a27203557d7de236831fb1ea98bf46d47ae60efaabe2f161676047889d
Instruction Fuzzy Hash: 7311B171960745AEC720EFB4D442B9AB7F4AF09300F14C92AE4A6C7641EB30A51C8F55

Uniqueness

Uniqueness Score: -1.00%

Function 002587CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00257660: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,002587FB,75B4E8E0,80004005), ref: 00257665
Part of subcall function 00257660: GetLastError.KERNEL32 ref: 0025766F

IsDebuggerPresent.KERNEL32(75B4E8E0,80004005), ref: 002587FF
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule), ref: 0025880E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00258809

Memory Dump Source

Source File: 00000011.00000002.2799090797.0000000000221000.00000020.00000001.01000000.00000014.sdmp, Offset: 00220000, based on PE: true

Associated: 00000011.00000002.2799061089.0000000000220000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799162121.000000000029C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799201846.00000000002B5000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799233326.00000000002B6000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799267711.00000000002B8000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000011.00000002.2799301046.00000000002BB000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_220000_fast!.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: d7152f5102bf7a5aa0819c0417d8db8b96d5fc0aebb2f09c6ab48cbc634d8d05
Instruction ID: 1eced597d5ee7c9b530fa9b06e94b44bfd56899844da941c0ca04904cb70545e
Opcode Fuzzy Hash: d7152f5102bf7a5aa0819c0417d8db8b96d5fc0aebb2f09c6ab48cbc634d8d05
Instruction Fuzzy Hash: 58E06D702107118BD720AF64E80C7127AE4EB04705F90886DE846E3741EFF4E4588BA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nw.exePID: 7068, Parent PID: 2864COMMON

Executed Functions

Function 00007FF7CA3AFC00 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

__location != nullptr, xrefs: 00007FF7CA3AFCD2
__loc != nullptr, xrefs: 00007FF7CA3AFE18, 00007FF7CA3B0112
CommandLineToArgvW, xrefs: 00007FF7CA3AFFF9
api-ms-win-downlevel-shell32-l1-1-0.dll, xrefs: 00007FF7CA3AFFDC
E:\nw82_sdk_win64\node-webkit\src\outst\nw\..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 00007FF7CA3AFCCB, 00007FF7CA3AFE11, 00007FF7CA3B010B
null pointer passed to non-null argument of char_traits<...>::length, xrefs: 00007FF7CA3AFF51
__s != nullptr, xrefs: 00007FF7CA3AFF6B
%s:%d: assertion %s failed: %s, xrefs: 00007FF7CA3AFCC4, 00007FF7CA3AFE0A, 00007FF7CA3AFF5D, 00007FF7CA3B0104
null pointer given to construct_at, xrefs: 00007FF7CA3AFCB8
E:\nw82_sdk_win64\node-webkit\src\outst\nw\..\..\third_party\libc++\src\include\string_view, xrefs: 00007FF7CA3AFF64
null pointer given to destroy_at, xrefs: 00007FF7CA3AFDFE, 00007FF7CA3B00F8

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$CommandLineToArgvW$E:\nw82_sdk_win64\node-webkit\src\outst\nw\..\..\third_party\libc++\src\include\__memory\construct_at.h$E:\nw82_sdk_win64\node-webkit\src\outst\nw\..\..\third_party\libc++\src\include\string_view$__loc != nullptr$__location != nullptr$__s != nullptr$api-ms-win-downlevel-shell32-l1-1-0.dll$null pointer given to construct_at$null pointer given to destroy_at$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 0-2633613811
Opcode ID: d3a48d83f1f7214af8299fa518bf5a1bc1c7103f2bb11da46634a925b35aa791
Instruction ID: 587c411fc9395064012d5c7d6f7cc31cedfb5d8aedfb63679a0bb4d65759b30b
Opcode Fuzzy Hash: d3a48d83f1f7214af8299fa518bf5a1bc1c7103f2bb11da46634a925b35aa791
Instruction Fuzzy Hash: 6BE1C321A09B4282FA51AF29F5743B9F3A0AF55BA5F844275DE4E07B94DF3CE581C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA391761 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7CA391855
GetLastError.KERNEL32 ref: 00007FF7CA391863
SetLastError.KERNEL32 ref: 00007FF7CA3918A1
GetLastError.KERNEL32 ref: 00007FF7CA3918B3

Strings

DoInitialize, xrefs: 00007FF7CA391962
flags & FLAG_WIN_NO_EXECUTE == 0U, xrefs: 00007FF7CA391944
..\..\base\files\file_win.cc, xrefs: 00007FF7CA391969

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: ..\..\base\files\file_win.cc$DoInitialize$flags & FLAG_WIN_NO_EXECUTE == 0U
API String ID: 1722934493-3141662310
Opcode ID: 00c2d96da8663dfe1ee529e0054553ea9d5f05a37d21517e7adb97f17575b0fe
Instruction ID: 643b50a08454625a53ca467773b6c016e436b7af429b66fd8b54f741d43cfed0
Opcode Fuzzy Hash: 00c2d96da8663dfe1ee529e0054553ea9d5f05a37d21517e7adb97f17575b0fe
Instruction Fuzzy Hash: AB41ED62F18A0246FB64BF24B435779A791BB817A2F8148B9DE4E973C1DE3CE5458320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA35277F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF7CA352802
LoadLibraryW.KERNELBASE ref: 00007FF7CA352854
SetCurrentDirectoryW.KERNELBASE ref: 00007FF7CA352869
SetProcessShutdownParameters.KERNEL32 ref: 00007FF7CA352887
GetProcAddress.KERNEL32 ref: 00007FF7CA3528B5

Strings

no-pre-read-main-dll, xrefs: 00007FF7CA352810
ChromeMain, xrefs: 00007FF7CA3528AE

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: CurrentDirectory$AddressLibraryLoadParametersProcProcessShutdown
String ID: ChromeMain$no-pre-read-main-dll
API String ID: 258291741-2069350881
Opcode ID: 48ecc698fefbdf047984630ba30f33d1d06c9f7b7e4843f99719d2989e2121fd
Instruction ID: 638fb06a851acf71c1ea7d06ccb592369132901ed14aaee9b26f039bf2875bbb
Opcode Fuzzy Hash: 48ecc698fefbdf047984630ba30f33d1d06c9f7b7e4843f99719d2989e2121fd
Instruction Fuzzy Hash: 84317222608A8682FA15EF59F4302B9E750FF857B2F8041B5DD5D066A4DE6CD445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA3AFF80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FF7CA3AFFEB

Strings

api-ms-win-downlevel-shell32-l1-1-0.dll, xrefs: 00007FF7CA3AFFDC

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: LibraryLoad
String ID: api-ms-win-downlevel-shell32-l1-1-0.dll
API String ID: 1029625771-3716558642
Opcode ID: 1af63b38f19b8d9d382979f5dc9e065a859aafcc862d30eda4dd36512600b140
Instruction ID: 9be652b3dce78f09c53f8eee863a92b8f425b1983d864c305d4d3583bd05f8e8
Opcode Fuzzy Hash: 1af63b38f19b8d9d382979f5dc9e065a859aafcc862d30eda4dd36512600b140
Instruction Fuzzy Hash: 7821C531A18A8681FA119F29F4213A9E3A0FF997A5F84D135EE4D06654EF3DE185C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA38CF50 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7CA38CF57
TerminateProcess.KERNELBASE ref: 00007FF7CA38CF62

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: 2c3c53f94abf7dee2f84efc0230c1c09fd789b8a00e2788019554a3ef550b046
Instruction ID: 9b4ad86a243f6be8f15518d5d5faf4a02e0232fb92eab9888234d36db5a569d4
Opcode Fuzzy Hash: 2c3c53f94abf7dee2f84efc0230c1c09fd789b8a00e2788019554a3ef550b046
Instruction Fuzzy Hash: 95C08C38E1081C46F23C2BB038240241721DF48B32F408D74C70D0FF60ED3C74068282

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA388FC0 Relevance: 1.5, APIs: 1, Instructions: 36
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CA351238), ref: 00007FF7CA388FF8

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 84e57c770b8003bdf586b09695310bfb3da8c0dc3b864817690fb88acecf7984
Instruction ID: 2b6dbacc7a4ce0d21fee82d6ff7578f0ae222392dd09a157340d2ebd60899aab
Opcode Fuzzy Hash: 84e57c770b8003bdf586b09695310bfb3da8c0dc3b864817690fb88acecf7984
Instruction Fuzzy Hash: CFF08172A29B4182FB509F55F86476AB3A4FB88BA1F409035EE4E47B10DF3CD4508B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7CA393C9D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA393CA0
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7CA393E9A

Strings

33333333, xrefs: 00007FF7CA393CE0
UUUUUUUU, xrefs: 00007FF7CA393CCD

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: 33333333$UUUUUUUU
API String ID: 17069307-3483174168
Opcode ID: b5b35a57fd949b7c313747528bc711de79e0f8a5679bdf91262eb022ff1427fd
Instruction ID: eb908db350cf698632887bdf05c9fb1e9d10962010aa307ff0de0df35313a686
Opcode Fuzzy Hash: b5b35a57fd949b7c313747528bc711de79e0f8a5679bdf91262eb022ff1427fd
Instruction Fuzzy Hash: E281F6A2B0CA4682FE14AF25B0706BAD791AF41BA1FC8407ED94E0B795DF3CE8458350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA4C5BCC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7CA4C5C45
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7CA4C5C5D
RtlVirtualUnwind.KERNEL32 ref: 00007FF7CA4C5C98
IsDebuggerPresent.KERNEL32 ref: 00007FF7CA4C5CD1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7CA4C5CDB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7CA4C5CE6

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 2fe9ad9590342c67f441376e9970ebce6564ec2bb13963cbf5528482301b331b
Instruction ID: 5e57fa3d3e8d1e06c7a97eeabc87e21997970bc5093707d3e89d0aadc8eedf3e
Opcode Fuzzy Hash: 2fe9ad9590342c67f441376e9970ebce6564ec2bb13963cbf5528482301b331b
Instruction Fuzzy Hash: FD31B232618F8185EB20DF28F8506EEB7A4FB89769F804135EA9D43B54EF38C655C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA3DABE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000003,00007FF7CA39FCA0), ref: 00007FF7CA3DAC6D
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000003,00007FF7CA39FCA0), ref: 00007FF7CA3DAC7A

Strings

UUUUUUUU, xrefs: 00007FF7CA3DACE2
33333333, xrefs: 00007FF7CA3DACF5

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: 33333333$UUUUUUUU
API String ID: 4021432409-3483174168
Opcode ID: aeb9380fb6d31afb8b6ab2b34cec210dd92c447cd9f32d1b65a5461e41878889
Instruction ID: 25e091e8e2ea4c04d7988128e2aa1e06b7150a382c1bcc5c17e3fa1f8f016ca2
Opcode Fuzzy Hash: aeb9380fb6d31afb8b6ab2b34cec210dd92c447cd9f32d1b65a5461e41878889
Instruction Fuzzy Hash: A751E421F2D64981FE54AF15B5302B8E3919F84FF2F888079DA4D47B95DE3CE4518360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA391B40 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 181fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7CA391CDD
SetFileAttributesW.KERNEL32 ref: 00007FF7CA391D05
DeleteFileW.KERNEL32 ref: 00007FF7CA391D21
GetLastError.KERNEL32 ref: 00007FF7CA391D84
SetLastError.KERNEL32 ref: 00007FF7CA391DB3

Strings

..\..\base\files\file_util_win.cc, xrefs: 00007FF7CA391BAE
DoDeleteFile, xrefs: 00007FF7CA391BA7

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: File$AttributesErrorLast$Delete
String ID: ..\..\base\files\file_util_win.cc$DoDeleteFile
API String ID: 1157692262-486883514
Opcode ID: d60358643898121238d85d16e6d6b00dc7ea70ff1f3346a3f4cbc5739d3595bc
Instruction ID: e5733fc1aba48da686d763a3d6ecf50ae139591239233b6ad5be69eebca0ea69
Opcode Fuzzy Hash: d60358643898121238d85d16e6d6b00dc7ea70ff1f3346a3f4cbc5739d3595bc
Instruction Fuzzy Hash: 6571E621A0CB4641FAA0BF35B5717B9D3919F81BB2FC441B9DE8D126D5EF6CE8418720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA3B4C30 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA3B4C87
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA3B4C94
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7CA3B4D0F

Strings

ProcessCallbacksNow, xrefs: 00007FF7CA3B4D41
Tried to ProcessCallbacksNow without an AtExitManager, xrefs: 00007FF7CA3B4D7A
Run, xrefs: 00007FF7CA3B4EB7
..\..\base\at_exit.cc, xrefs: 00007FF7CA3B4D48
..\..\base\functional\callback.h, xrefs: 00007FF7CA3B4DCF

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\at_exit.cc$..\..\base\functional\callback.h$ProcessCallbacksNow$Run$Tried to ProcessCallbacksNow without an AtExitManager
API String ID: 1678258262-87751419
Opcode ID: afe2d6c043bd81d157c66db6949508cde1dd50570e599a9a8e59135f0af2f5e1
Instruction ID: ed196dd844ec68c7e0508f03c33e39100e68aaab2e03c47fc88df1750b1326c9
Opcode Fuzzy Hash: afe2d6c043bd81d157c66db6949508cde1dd50570e599a9a8e59135f0af2f5e1
Instruction Fuzzy Hash: EA717D32A08B8181FA55AF15F4712BAA3A1FB89BE5F805179EE8D07B56DF3CD2418710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA357B90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(?,?,?,?,00007FF7CA357BD9), ref: 00007FF7CA357BB5

Part of subcall function 00007FF7CA4ABB90: GetModuleHandleW.KERNEL32 ref: 00007FF7CA4ABCF3

Part of subcall function 00007FF7CA357B90: TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA357C03
Part of subcall function 00007FF7CA357B90: VirtualFree.KERNEL32 ref: 00007FF7CA357C37
Part of subcall function 00007FF7CA357B90: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7CA357C9D

Strings

..\..\base\allocator\partition_allocator\page_allocator_internals_win.h, xrefs: 00007FF7CA357C41
VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000), xrefs: 00007FF7CA357C48

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$AcquireExceptionFreeHandleModuleRaiseReleaseVirtual
String ID: ..\..\base\allocator\partition_allocator\page_allocator_internals_win.h$VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000)
API String ID: 1483517525-1800874091
Opcode ID: 3dfe79528de80623af499b46c6c9c3bfe285d3ae4e584e833817d2e53b50d3f4
Instruction ID: bfb8566b957b007760f9ef318f56b97b1acc20408c7169b61ce0512c9cfbf30a
Opcode Fuzzy Hash: 3dfe79528de80623af499b46c6c9c3bfe285d3ae4e584e833817d2e53b50d3f4
Instruction Fuzzy Hash: BC218320B0CA5241FA20BF55FC783F6A760BF567A6FC085B9D94D076A1CF3CA5468720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA382B77 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA382BC7
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA382BD4
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7CA382D04

Strings

UUUUUUUU, xrefs: 00007FF7CA382BF8
33333333, xrefs: 00007FF7CA382C0B

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: 33333333$UUUUUUUU
API String ID: 1678258262-3483174168
Opcode ID: f5b6878b86a9ff93380345cdb0c9acca6487633303acc215f63565bce46ddf09
Instruction ID: f62500286c3f93e6b783931d076991751cfaf093eb30be055c3835de92599a30
Opcode Fuzzy Hash: f5b6878b86a9ff93380345cdb0c9acca6487633303acc215f63565bce46ddf09
Instruction Fuzzy Hash: B061E062B0974681FE60AF45B4347B9E3A1AB84BE2FC4807ADE5D0775ADE3CE544C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA428B63 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF7CA428B94
GetLastError.KERNEL32 ref: 00007FF7CA428BA4
GetLastError.KERNEL32 ref: 00007FF7CA428BE5

Strings

CreateDirectory , xrefs: 00007FF7CA428C10
..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc, xrefs: 00007FF7CA428BEE

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ErrorLast$CreateDirectory
String ID: ..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc$CreateDirectory
API String ID: 1306683694-1677680670
Opcode ID: e1c94c14ca136535c85cae7f05a046986b6de84c65b501f55438a39dcae49362
Instruction ID: 4e69a53549a73c4893b3e5c709bfeac953bd15253987375d1db24581bec3488b
Opcode Fuzzy Hash: e1c94c14ca136535c85cae7f05a046986b6de84c65b501f55438a39dcae49362
Instruction Fuzzy Hash: 3331A322B0C55181FA11BF1AF4353FEE710AB857A1F8441B5EE4D47A85CF6CE5468710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA357BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

..\..\base\allocator\partition_allocator\page_allocator_internals_win.h, xrefs: 00007FF7CA357C41
VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000), xrefs: 00007FF7CA357C48

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$AcquireExceptionFreeRaiseReleaseVirtual
String ID: ..\..\base\allocator\partition_allocator\page_allocator_internals_win.h$VirtualFree(reinterpret_cast<void*>(address), 0, 0x00008000)
API String ID: 329190654-1800874091
Opcode ID: 28bad28d45d90f66466e4dcec676bf9156850bc695cd73606b7b63943df2923c
Instruction ID: dd885175c27916ae1545658518cd4353c66dc215507455f8640635f472a4265c
Opcode Fuzzy Hash: 28bad28d45d90f66466e4dcec676bf9156850bc695cd73606b7b63943df2923c
Instruction Fuzzy Hash: 0C215E20A0CA5241FA21BF15FC783F6A760AF56BA2FC084B9D94D066A1DF3CA5468720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA4ABC04 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7CA4ABC29
GetProcAddress.KERNEL32 ref: 00007FF7CA4ABC3F
FreeLibrary.KERNEL32 ref: 00007FF7CA4ABC66

Strings

mscoree.dll, xrefs: 00007FF7CA4ABC20
CorExitProcess, xrefs: 00007FF7CA4ABC38

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 52ab8f5192de93a065a00e5519dd214696074012a4a49d1462632fd046937686
Instruction ID: d0d865ec06263db9e59295c97d37007c388c643bd0f87287c2e5dc9661515c0e
Opcode Fuzzy Hash: 52ab8f5192de93a065a00e5519dd214696074012a4a49d1462632fd046937686
Instruction Fuzzy Hash: 6EF0AF61B09A4281FB10AF28B874779A320EF497B2FC45379C96D462E4DF2CD949C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA380C50 Relevance: 6.1, APIs: 4, Instructions: 82threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CA387670: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00007FF7CA380CAC), ref: 00007FF7CA3876B4
Part of subcall function 00007FF7CA387670: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF7CA380CAC), ref: 00007FF7CA3876C1
Part of subcall function 00007FF7CA387670: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF7CA380CAC), ref: 00007FF7CA387724

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA380CB7
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF7CA380CC4
GetCurrentThreadId.KERNEL32 ref: 00007FF7CA380D16
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7CA380D2F

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release$CurrentThread
String ID:
API String ID: 2674044702-0
Opcode ID: f911f594351486d2f89d68ad4b18d3d38861ee7f52b8eed265e5c91c6b8550a0
Instruction ID: fc5cb4cbe172dab5a1f702864b23903376a8878446ecf7237546598274fa475f
Opcode Fuzzy Hash: f911f594351486d2f89d68ad4b18d3d38861ee7f52b8eed265e5c91c6b8550a0
Instruction Fuzzy Hash: 8A313F26609A0582FA20AF15F5B43AAB361EB49BE5F844176DE4E07765DF3CE146C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CA386C30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 00007FF7CA386D51

Strings

M, xrefs: 00007FF7CA386D12
__metadata, xrefs: 00007FF7CA386CD4

Memory Dump Source

Source File: 0000001B.00000002.2989503732.00007FF7CA351000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF7CA350000, based on PE: true

Associated: 0000001B.00000002.2989383249.00007FF7CA350000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990435548.00007FF7CA4D5000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990568119.00007FF7CA514000.00000008.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA516000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990634341.00007FF7CA51D000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA51F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2990886191.00007FF7CA52F000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991170136.00007FF7CA536000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991234485.00007FF7CA537000.00000020.00000001.01000000.00000015.sdmpDownload File
Associated: 0000001B.00000002.2991292222.00007FF7CA538000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7ca350000_nw.jbxd

Similarity

API ID: Init_thread_header
String ID: M$__metadata
API String ID: 3738618077-748565563
Opcode ID: 8e51df361c211c380a8b0d3e7a3b868d446a3aef25dc769580754604e47b7324
Instruction ID: b3e0c4de5c4ce0070bd57dfe455443d05fbb451fa4b19ef812da9964c64566c6
Opcode Fuzzy Hash: 8e51df361c211c380a8b0d3e7a3b868d446a3aef25dc769580754604e47b7324
Instruction Fuzzy Hash: 0F318E32A08B8581F621EF28F8607BAB3A0FF95365F904175EA8C43665DF3CD085C710

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Fast!\BigTestFile

C:\Program Files (x86)\Fast!\FastSRV.exe

C:\Program Files (x86)\Fast!\fast!.exe

C:\Program Files (x86)\Fast!\nwjs\credits.html

C:\Program Files (x86)\Fast!\nwjs\d3dcompiler_47.dll

C:\Program Files (x86)\Fast!\nwjs\ffmpeg.dll

C:\Program Files (x86)\Fast!\nwjs\icudtl.dat

C:\Program Files (x86)\Fast!\nwjs\libEGL.dll

C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll

C:\Program Files (x86)\Fast!\nwjs\locales\af.pak

C:\Program Files (x86)\Fast!\nwjs\locales\af.pak.info

C:\Program Files (x86)\Fast!\nwjs\locales\am.pak

C:\Program Files (x86)\Fast!\nwjs\locales\am.pak.info

C:\Program Files (x86)\Fast!\nwjs\locales\ar-XB.pak

Windows Analysis Report
Setup (1).exe

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre